CVE-2026-15499
Received Received - Intake

Improper Authorization in AstrBot via Scheduled Task Handler

Vulnerability report for CVE-2026-15499, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-12

Last updated on: 2026-07-12

Assigner: VulDB

Description

A security flaw has been discovered in AstrBotDevs AstrBot up to 4.25.2. Affected is the function FutureTaskTool.call of the file astrbot/core/tools/cron_tools.py of the component Scheduled Task Handler. Performing a manipulation of the argument payload["note"] results in improper authorization. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-12
Last Modified
2026-07-12
Generated
2026-07-12
AI Q&A
2026-07-12
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
astrbotdevs astrbot to 4.25.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthorized modification and execution of scheduled tasks with potentially elevated privileges, including admin-level permissions. This improper authorization and privilege escalation could lead to unauthorized access to sensitive data or system functions.

Such unauthorized access and potential data manipulation may impact compliance with standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive information.

However, the provided information does not explicitly state the direct effects on compliance with these regulations.

Executive Summary

This vulnerability exists in AstrBot versions 4.25.2 and earlier within the future_task tool. It is an improper authorization flaw that allows users sharing the same unified message origin (UMO) to modify, list, or delete other users' scheduled tasks without verifying proper ownership.

When a task is edited, the original creator's sender_id remains in the payload, causing the scheduler to execute the modified task with the victim's cron privileges. If the victim has admin privileges, the attacker can run tasks with admin-level permissions.

The root cause is that authorization checks only verify session sharing rather than actual ownership of the tasks. Exploitation requires both attacker and victim to share the same UMO, such as being in the same group chat, and the victim must have created a future task.

Impact Analysis

This vulnerability can lead to unauthorized modification and execution of scheduled tasks under another user's privileges.

If the victim is an administrator, the attacker can escalate privileges and execute arbitrary tasks with admin-level permissions, potentially leading to unauthorized actions and control over the system.

The impact is significant due to the potential for privilege escalation and unauthorized task execution, which can compromise system integrity and security.

Detection Guidance

Detection of this vulnerability involves monitoring for unauthorized modifications, listings, or deletions of scheduled tasks by users sharing the same unified message origin (UMO). Since exploitation requires the attacker and victim to share the same UMO, detection can focus on identifying unexpected changes to scheduled tasks within shared sessions or group chats.

Specifically, you can look for changes in the scheduled tasks where the 'sender_id' remains the original creator but the task content has been altered by another user in the same session.

While no explicit commands are provided, a practical approach would be to audit the scheduled tasks database or files for recent modifications and verify the ownership of those changes. For example, commands or scripts that compare the 'sender_id' with the user who last modified the task could help identify suspicious activity.

Mitigation Strategies

Immediate mitigation steps include restricting access to the scheduled task handler to prevent unauthorized users from modifying tasks they do not own.

Since the vulnerability arises from improper authorization checks that only validate session sharing rather than ownership, enforcing strict ownership verification before allowing modifications to scheduled tasks is critical.

Additionally, monitoring and alerting on changes to scheduled tasks within shared UMOs can help detect exploitation attempts early.

If possible, update AstrBot to a version later than 4.25.2 once a patch is available, or apply any vendor-provided fixes. Until then, limit the exposure by controlling user permissions and session sharing.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15499. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart