Authorization Bypass in AstrBot by AstrBotDevs
CVE-2026-16075
Key Information:
- Vendor
Astrbotdevs
- Status
- Vendor
- CVE Published:
- 18 July 2026
Badges
What is CVE-2026-16075?
A significant security flaw has been identified in AstrBot by AstrBotDevs, specifically affecting the session-listing endpoint of the OpenApiRoute.get_chat_sessions function. This vulnerability stems from improper handling of the 'Username' argument within the open_api.py file, allowing unauthorized access to user sessions. Attackers can exploit this weakness remotely, meaning they do not need physical access to the system to initiate an attack. Despite early notifications, the vendor did not respond, indicating a potential lack of timely remediation.
Affected Version(s)
AstrBot 4.25.0
AstrBot 4.25.1
AstrBot 4.25.2
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
