CVE-2026-10210
AstrBot 4.23.6 Prompt Injection Vulnerability
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| astrbotdevs | astrbot | to 4.23.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-707 | The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-10210 is a system prompt injection vulnerability in AstrBot version 4.23.6 and earlier. It occurs because the function responsible for sanitizing skill descriptions (_sanitize_prompt_description) does not sanitize descriptions of locally uploaded skills. An authenticated attacker can upload a malicious skill ZIP archive containing specially crafted descriptions that include multiline prompt injection payloads. These payloads break out of the intended skill description context and inject arbitrary instructions into the system prompt used by the language model.
This injection allows the attacker to override the behavior of the language model, potentially hijacking prompts, exfiltrating data if certain features are enabled, and establishing a persistent backdoor that remains active even after restarts.
How can this vulnerability impact me? :
This vulnerability can have several impacts on users of AstrBot. An attacker can hijack system prompts to manipulate the language model's behavior, potentially causing it to execute unintended commands or reveal sensitive information.
If the 'Computer Use' feature is enabled, the attacker may exfiltrate data from the system. Additionally, the vulnerability allows for a persistent backdoor that survives system restarts, meaning the attacker can maintain long-term unauthorized access and control.
Since the attack can be performed remotely by uploading a malicious skill, all users across connected chat platforms (such as QQ, WeChat, Telegram, etc.) are at risk as long as the malicious skill remains active.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for the presence of malicious skill ZIP archives uploaded through the AstrBot dashboard, especially those containing a SKILL.md file with YAML literal block scalars in the description field that allow multiline prompt injection.
Since the vulnerability involves unsanitized skill descriptions in locally uploaded skills, detection can focus on inspecting uploaded skill ZIP files for suspicious or malformed SKILL.md files.
Commands to detect such malicious uploads might include extracting and searching skill ZIP archives for suspicious YAML literal blocks or unusual multiline descriptions.
- unzip suspicious_skill.zip -p SKILL.md | grep -P 'description:\s*\|-'
- grep -r --include='SKILL.md' 'description: |-' /path/to/astrbot/skills/
Additionally, monitoring network traffic for unusual API calls to the dashboard upload endpoint or unexpected skill activations across connected chat platforms may help identify exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or disabling the ability to upload local skill ZIP archives through the dashboard to prevent attackers from injecting malicious skills.
Review and sanitize all locally uploaded skill descriptions manually or via automated scripts before activation to ensure no prompt injection payloads are present.
Monitor and disable any suspicious or unknown skills that have been uploaded and are currently active.
Limit user privileges to reduce the risk of authenticated attackers uploading malicious skills.
Since no patched versions are available, consider isolating the AstrBot instance from sensitive data or critical systems until a fix is released.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an authenticated attacker to inject arbitrary instructions into the system prompt, potentially leading to prompt hijacking, data exfiltration, and persistent backdoors. Such unauthorized data access and manipulation could lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and ensuring system integrity.
Since the vulnerability enables data exfiltration and persistent unauthorized control over the system, affected organizations may face compliance risks related to confidentiality, integrity, and availability of protected data under these standards.