CVE-2026-16076
Received Received - Intake

Authentication Bypass in AstrBot via Spoofed Username

Vulnerability report for CVE-2026-16076, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-18

Last updated on: 2026-07-18

Assigner: VulDB

Description

A vulnerability has been found in AstrBotDevs AstrBot up to 4.25.5. This issue affects the function OpenApiRoute.chat_send of the file astrbot/dashboard/routes/open_api.py of the component API. Such manipulation of the argument Username leads to authentication bypass by spoofing. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-18
Last Modified
2026-07-18
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
astrbotdevs astrbot to 4.25.5 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an authentication bypass in AstrBot up to version 4.25.5. It occurs in the OpenAPI chat endpoint where a user with a valid API key can spoof the username to impersonate an administrator. The API key authentication identifies the caller, but the OpenAPI handler overwrites the trusted principal with a user-controlled username from the request body, allowing unauthorized privilege escalation.

Detection Guidance

Check AstrBot logs for unusual API requests to the OpenAPI chat endpoint (/chat_send) where the username parameter is modified. Look for requests with admin-level commands like /name being executed by non-admin users. Monitor network traffic for HTTP POST requests to the vulnerable endpoint with spoofed usernames.

Impact Analysis

An attacker could impersonate an administrator to execute admin-only commands like /name, which would persistently alter system state under the spoofed identity. This could lead to unauthorized access, data manipulation, or control over the AstrBot system.

Mitigation Strategies

Upgrade AstrBot to the latest version beyond 4.25.5. If an update is unavailable, restrict access to the OpenAPI chat endpoint by IP or disable it entirely. Remove or restrict API keys with chat-scope permissions. Implement input validation to prevent username spoofing in API requests.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-16076. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart