Authentication Bypass in AstrBot by AstrBotDevs API Component
CVE-2026-16076
Key Information:
- Vendor
Astrbotdevs
- Status
- Vendor
- CVE Published:
- 18 July 2026
Badges
What is CVE-2026-16076?
A vulnerability exists in the AstrBot API, specifically within the OpenApiRoute.chat_send function. By manipulating the Username parameter, an attacker can bypass authentication, enabling unauthorized access to the system. This flaw is remotely exploitable, posing a significant risk to users. Despite early warnings to the vendor, no response has been documented regarding this critical issue, allowing it to remain publicly disclosed and accessible for potential exploitation.
Affected Version(s)
AstrBot 4.25.0
AstrBot 4.25.1
AstrBot 4.25.2
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
