Executive Summary

CVE-2026-10211 is an authorization bypass vulnerability in AstrBot version 4.23.6 and earlier. It occurs due to incorrect authorization logic in the _normalize_rw_path function within the astrbot/core/tools/computer_tools/fs.py file.

The vulnerability allows non-admin authenticated users to write arbitrary files into globally shared skill directories by exploiting a mismatch in path authorization checks. Specifically, the function that normalizes read-write paths only verifies if paths are within read-allowed roots, which are intended for read-only access. This flaw enables restricted users to bypass write restrictions by supplying absolute paths.

An attacker can use this flaw to inject malicious skills into the data/skills directory, potentially leading to persistent compromise and remote code execution when these skills are loaded or executed.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts including unauthorized modification of shared automation logic by non-admin users.

An attacker can write arbitrary files, including malicious code, into critical directories, which may lead to persistent compromise of the system.

Exploitation can result in remote code execution, compromising the confidentiality, integrity, and availability of the affected system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if non-admin users are able to write files into globally shared skill directories, which should be restricted. Specifically, monitoring attempts to write files to paths under the data/skills directory can indicate exploitation.

Since exploitation requires access to the AstrBot server (e.g., http://127.0.0.1:6185) and default credentials, verifying if default credentials are still in use is important.

Commands to detect potential exploitation or attempts could include:

• Checking for recently modified or created files in the shared skills directory, e.g., `find /root/project/xclaw-project/AstrBot/data/skills -type f -mtime -7` to find files modified in the last 7 days.
• Reviewing AstrBot server access logs for unusual write operations or access from non-admin users.
• Checking for running processes or loaded skills that are unexpected or malicious.
• Verifying if default credentials are still active by attempting to log in or reviewing configuration files.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the AstrBot server to trusted users only and disabling or changing any default credentials to prevent unauthorized access.

Since no patched versions are currently available, it is critical to monitor and audit file writes to the shared skill directories to detect and prevent unauthorized modifications.

Limiting network exposure of the AstrBot server (e.g., binding to localhost only or using firewall rules) can reduce the risk of remote exploitation.

Review and remove any suspicious or unauthorized skill files in the data/skills directory to prevent execution of malicious code.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthorized users to write arbitrary files into globally shared skill directories, leading to potential persistent compromise and remote code execution. Such unauthorized access and manipulation of data can undermine the integrity and confidentiality of systems.

Because it compromises access controls and allows unauthorized modification of files, this vulnerability could lead to violations of compliance requirements in standards like GDPR and HIPAA, which mandate strict controls over data integrity, confidentiality, and access management.

Specifically, the ability for non-admin users to bypass authorization and inject malicious code may result in unauthorized data exposure or alteration, which conflicts with regulatory obligations to protect sensitive information and maintain secure systems.

Useful 0 Not Useful 0