CVE-2026-10210
Received Received - Intake
AstrBot 4.23.6 Prompt Injection Vulnerability

Publication date: 2026-06-01

Last updated on: 2026-06-01

Assigner: VulDB

Description
A vulnerability was found in AstrBotDevs AstrBot 4.23.6. Affected by this vulnerability is the function _sanitize_prompt_description of the file astrbot/core/skills/skill_manager.py. The manipulation results in injection. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-01
Generated
2026-06-21
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-10210
EUVD
EUVD-2026-33531
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
astrbotdevs astrbot to 4.23.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-707 The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-10210 is a system prompt injection vulnerability in AstrBot version 4.23.6 and earlier. It occurs because the function responsible for sanitizing skill descriptions (_sanitize_prompt_description) does not sanitize descriptions of locally uploaded skills. An authenticated attacker can upload a malicious skill ZIP archive containing specially crafted descriptions that include multiline prompt injection payloads. These payloads break out of the intended skill description context and inject arbitrary instructions into the system prompt used by the language model.

This injection allows the attacker to override the behavior of the language model, potentially hijacking prompts, exfiltrating data if certain features are enabled, and establishing a persistent backdoor that remains active even after restarts.

Impact Analysis

This vulnerability can have several impacts on users of AstrBot. An attacker can hijack system prompts to manipulate the language model's behavior, potentially causing it to execute unintended commands or reveal sensitive information.

If the 'Computer Use' feature is enabled, the attacker may exfiltrate data from the system. Additionally, the vulnerability allows for a persistent backdoor that survives system restarts, meaning the attacker can maintain long-term unauthorized access and control.

Since the attack can be performed remotely by uploading a malicious skill, all users across connected chat platforms (such as QQ, WeChat, Telegram, etc.) are at risk as long as the malicious skill remains active.

Detection Guidance

This vulnerability can be detected by monitoring for the presence of malicious skill ZIP archives uploaded through the AstrBot dashboard, especially those containing a SKILL.md file with YAML literal block scalars in the description field that allow multiline prompt injection.

Since the vulnerability involves unsanitized skill descriptions in locally uploaded skills, detection can focus on inspecting uploaded skill ZIP files for suspicious or malformed SKILL.md files.

Commands to detect such malicious uploads might include extracting and searching skill ZIP archives for suspicious YAML literal blocks or unusual multiline descriptions.

  • unzip suspicious_skill.zip -p SKILL.md | grep -P 'description:\s*\|-'
  • grep -r --include='SKILL.md' 'description: |-' /path/to/astrbot/skills/

Additionally, monitoring network traffic for unusual API calls to the dashboard upload endpoint or unexpected skill activations across connected chat platforms may help identify exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include restricting or disabling the ability to upload local skill ZIP archives through the dashboard to prevent attackers from injecting malicious skills.

Review and sanitize all locally uploaded skill descriptions manually or via automated scripts before activation to ensure no prompt injection payloads are present.

Monitor and disable any suspicious or unknown skills that have been uploaded and are currently active.

Limit user privileges to reduce the risk of authenticated attackers uploading malicious skills.

Since no patched versions are available, consider isolating the AstrBot instance from sensitive data or critical systems until a fix is released.

Compliance Impact

The vulnerability allows an authenticated attacker to inject arbitrary instructions into the system prompt, potentially leading to prompt hijacking, data exfiltration, and persistent backdoors. Such unauthorized data access and manipulation could lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and ensuring system integrity.

Since the vulnerability enables data exfiltration and persistent unauthorized control over the system, affected organizations may face compliance risks related to confidentiality, integrity, and availability of protected data under these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10210. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart