CVE-2026-16074
Received Received - Intake

Server-Side Request Forgery in AstrBot Plugin Update Handler

Vulnerability report for CVE-2026-16074, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: VulDB

Description

A vulnerability was detected in AstrBotDevs AstrBot up to 4.25.2. This affects the function update_plugin/update_all_plugins of the file astrbot/dashboard/routes/plugin.py of the component Plugin Update Handler. The manipulation of the argument download_url/download_urls/proxy results in server-side request forgery. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
astrbotdevs astrbot to 4.25.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a server-side request forgery (SSRF) in AstrBot up to version 4.25.2. It exists in the plugin update handler where the download_url or proxy arguments can be manipulated. An attacker can send crafted requests from a remote location to force the server to make unintended requests.

Detection Guidance

Detecting this vulnerability requires checking for AstrBot installations up to version 4.25.2 and monitoring for unusual network requests from the plugin update handler. Inspect logs for server-side request forgery attempts targeting plugin.py. Check for unexpected outbound connections from AstrBot processes.

Impact Analysis

An attacker could exploit this to make the server interact with internal systems or external resources it should not access. This may lead to unauthorized data exposure, internal service probing, or further attacks against connected systems. The public exploit availability increases risk.

Compliance Impact

This vulnerability involves server-side request forgery (SSRF) in AstrBot, allowing remote manipulation of plugin update URLs. While not directly tied to GDPR or HIPAA, SSRF could expose sensitive data or systems if exploited, potentially violating compliance requirements for data protection and access controls.

Mitigation Strategies

Immediately update AstrBot to the latest version beyond 4.25.2. Disable the plugin update functionality if not required. Restrict network access to AstrBot components and monitor for suspicious outbound requests. Block known malicious IPs if any are identified.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-16074. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart