CVE-2026-16075
Received Received - Intake

Authorization Bypass in AstrBot via Username Manipulation

Vulnerability report for CVE-2026-16075, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-18

Last updated on: 2026-07-18

Assigner: VulDB

Description

A flaw has been found in AstrBotDevs AstrBot up to 4.25.5. This vulnerability affects the function OpenApiRoute.get_chat_sessions of the file astrbot/dashboard/routes/open_api.py of the component session-listing Endpoint. This manipulation of the argument Username causes authorization bypass. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-18
Last Modified
2026-07-18
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
astrbotdevs astrbot to 4.25.5 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an authorization bypass in AstrBot versions up to 4.25.5. It affects the session-listing endpoint where the username parameter is manipulated to retrieve WebChat session metadata belonging to other users. The endpoint ignores the authenticated API key and uses the caller-controlled username to filter sessions, allowing unauthorized access to session details.

Detection Guidance

To detect this vulnerability, check if AstrBot versions up to 4.25.5 are running. Use commands like 'curl -X GET http://<target>/api/v1/chat/sessions?username=<victim_username>' with a valid chat-scope API key. If session metadata for other users is returned, the system is vulnerable.

Impact Analysis

If you use AstrBot up to 4.25.5, an attacker with a valid chat-scope API key could exploit this to access your WebChat session metadata, including session identifiers, platform IDs, creator names, display names, and timestamps. This could lead to privacy breaches or session hijacking if sensitive information is exposed.

Compliance Impact

This vulnerability could violate GDPR by exposing personal data without consent and HIPAA by compromising protected health information if session metadata includes such data. Unauthorized access to session details may lead to non-compliance with data protection requirements.

Mitigation Strategies

Immediately update AstrBot to the latest version beyond 4.25.5. If an update is unavailable, restrict access to the /api/v1/chat/sessions endpoint and ensure API keys are scoped correctly. Monitor logs for unauthorized session enumeration attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-16075. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart