Compliance Impact

This vulnerability allows authenticated attackers to execute arbitrary system commands on the server running AstrBot, potentially leading to data exfiltration, unauthorized access, and lateral movement within the network.

Such unauthorized command execution and potential data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and secure system operations.

Specifically, the risk of data exfiltration and unauthorized access could lead to violations of data privacy and security requirements mandated by these regulations.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-6118 is a vulnerability in AstrBot versions up to 4.22.1 that allows arbitrary command execution through the MCP server configuration management functionality.

The flaw exists because the MCP server configuration accepts user-supplied fields such as 'command' and 'args' without any validation or restriction. These inputs are passed directly to a subprocess execution call during the MCP connection test.

An attacker with authenticated dashboard access can send a specially crafted request containing malicious commands, which the server executes immediately with the privileges of the AstrBot process.

This means the attacker can run arbitrary system commands remotely, potentially compromising the server.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows attackers to execute any system command on the affected server with the same privileges as the AstrBot process.

• Attackers can exfiltrate sensitive data.
• They can install reverse shell backdoors to maintain persistent access.
• It enables lateral movement within the network, potentially compromising other systems.

Although exploitation requires authenticated dashboard access, this can be combined with other vulnerabilities such as default credentials to facilitate attacks.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking for the presence of the file /tmp/mcp_rce_marker.txt which is created as a proof of concept by executing a malicious command through the MCP server configuration.

A detection method involves sending an authenticated POST request to the endpoint /api/tools/mcp/add with a payload containing a command that writes a unique marker file on the server.

For example, a command like the following can be used to test for exploitation:

• POST /api/tools/mcp/add with JSON body {"command": "/bin/sh", "args": ["-c", "echo MCP_RCE_POC > /tmp/mcp_rce_marker.txt"]}

After sending this request, check if the file /tmp/mcp_rce_marker.txt exists on the server and contains the string MCP_RCE_POC.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include implementing an allowlist of permitted MCP server executables to restrict which commands can be run.

• Allow only specific executables such as npx, uvx, node, python, and python3.

Additionally, validate and sanitize all command-line arguments to reject shell metacharacters that could enable command injection.

Separate the configuration saving process from the connection testing to avoid executing commands during configuration changes.

Add confirmation dialogs with security warnings when adding MCP servers to alert users of potential risks.

Log all MCP configuration changes with user attribution for auditability and to detect suspicious activity.

Useful 0 Not Useful 0