PYSEC-2026-2383

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/astrbot/PYSEC-2026-2383.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2383
Aliases
Published
2026-07-13T15:35:22.659837Z
Modified
2026-07-13T16:31:31.295800319Z
Severity
  • 6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
  • 2.1 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
AstrBot: Manipulation of astr_main_agent's session_id parameter leads to authorization bypass
Details

A vulnerability was identified in AstrBotDevs AstrBot 4.24.2. This affects the function astrmainagent of the file astrbot/core/astrmainagent.py. Such manipulation of the argument session_id leads to authorization bypass. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

References

Affected packages

PyPI / astrbot

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
4.24.2

Affected versions

3.*
3.4.39
3.5.6
3.5.7
3.5.8
3.5.9
3.5.10
3.5.11
3.5.12
3.5.13
3.5.14
3.5.15
3.5.17
3.5.18
3.5.19
3.5.20
3.5.21
3.5.22
3.5.23
3.5.24
3.5.25
3.5.26
3.5.27
4.*
4.0.0b1
4.0.0b2
4.0.0b3
4.0.0b4
4.0.0b5
4.0.0
4.1.0
4.1.1
4.1.2
4.1.3
4.1.4
4.1.5
4.1.6
4.1.7
4.2.0
4.2.1
4.3.0
4.3.1
4.3.2
4.3.3
4.3.5
4.5.0
4.5.1
4.5.2
4.5.3
4.5.6
4.5.7
4.5.8
4.6.0
4.6.1
4.7.0
4.7.1
4.7.3
4.7.4
4.8.0
4.9.0
4.9.1
4.9.2
4.10.0a1
4.10.0a2
4.10.0
4.10.1
4.10.2
4.10.3
4.10.4
4.10.5
4.10.6
4.11.0
4.11.1
4.11.2
4.11.3
4.11.4
4.12.0
4.12.1
4.12.2
4.12.3
4.12.4
4.13.0
4.13.1
4.13.2
4.14.0
4.14.1
4.14.2
4.14.3
4.14.4
4.14.5
4.14.6
4.14.7
4.14.8
4.15.0
4.16.0
4.17.0
4.17.1
4.17.2
4.17.3
4.17.4
4.17.5
4.17.6
4.18.0
4.18.1
4.18.2
4.18.3
4.19.2
4.19.3
4.19.4
4.19.5
4.20.0
4.20.1
4.21.0
4.22.0
4.22.1
4.22.2
4.22.3
4.23.0b1
4.23.0
4.23.1
4.23.2
4.23.3
4.23.5
4.23.6
4.24.0
4.24.1
4.24.2

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/astrbot/PYSEC-2026-2383.yaml"