Scan free
MEDIUMCVE-2026-6118CVSS 6.3

CVE-2026-6118: Command Injection in AstrBot

Platform

python

Component

astrbot

Fixed in

4.22.1

4.22.2

AI Confidence: highNVDEPSS 4.4%Reviewed: May 2026
View on NVD
Save

CVE-2026-6118 is a command injection vulnerability affecting AstrBot versions 4.22.0 through 4.22.1. This flaw allows attackers to inject and execute arbitrary commands on the server, potentially leading to unauthorized access and system compromise. The vulnerability resides within the addmcpserver function of the astrbot/dashboard/routes/tools.py file. While a fix has not yet been released by the vendor, mitigation strategies are available.

Python

Detect this CVE in your project

Upload your requirements.txt file and we'll tell you instantly if you're affected.

Upload requirements.txtSupported formats: requirements.txt · Pipfile.lock

Impact and Attack Scenarios

Successful exploitation of CVE-2026-6118 allows an attacker to execute arbitrary commands on the server hosting AstrBot. This could lead to a complete system takeover, enabling the attacker to steal sensitive data, install malware, or disrupt services. The remote nature of the vulnerability significantly broadens the attack surface, as it can be exploited from anywhere with network access to the affected system. The ability to inject commands directly bypasses standard security controls, making it a particularly dangerous vulnerability. The lack of vendor response increases the risk of exploitation.

Exploitation Context

CVE-2026-6118 has been publicly disclosed, increasing the likelihood of exploitation. The vulnerability is considered potentially exploitable, and the lack of a vendor response raises concerns about the timeliness of a fix. No known active campaigns have been reported at this time, but the public disclosure makes it a prime target for opportunistic attackers. The vulnerability was reported to the project early, but no response has been received, which is a concerning indicator.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports1 threat report

EPSS

4.42% (89% percentile)

CISA SSVC

Exploitationpoc
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R6.3MEDIUMAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityLowRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
Low — partial or intermittent denial of service. Attacker can degrade performance.

Affected Software

Componentastrbot
VendorAstrBotDevs
Affected rangeFixed in
4.22.0 – 4.22.04.22.1
4.22.1 – 4.22.14.22.2

Weakness Classification (CWE)

CWE-77CWE-74

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated
Unpatched — 42 days since disclosure

Mitigation and Workarounds

Due to the absence of a vendor-supplied patch, immediate mitigation is crucial. Implement strict input validation on all user-supplied data passed to the addmcpserver function. Consider using a Web Application Firewall (WAF) with command injection rules to filter malicious input. Restrict network access to the AstrBot dashboard to only authorized personnel. Monitor system logs for suspicious command execution patterns. While not a complete solution, these measures can significantly reduce the risk of exploitation until a patch is available. After implementing these mitigations, verify their effectiveness by attempting to trigger the vulnerability with carefully crafted input and confirming that the commands are properly sanitized.

How to fix

Update AstrBot to a patched version. The vendor has not responded, so it is recommended to monitor the situation and apply the update as soon as it is available. Consult the official AstrBot documentation for upgrade instructions.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-6118 — Command Injection in AstrBot?

CVE-2026-6118 is a command injection vulnerability affecting AstrBot versions 4.22.0–4.22.1, allowing attackers to execute arbitrary commands on the server.

Am I affected by CVE-2026-6118 in AstrBot?

You are affected if you are running AstrBot versions 4.22.0 or 4.22.1 and have not implemented mitigating controls.

How do I fix CVE-2026-6118 in AstrBot?

A vendor patch is not yet available. Implement input validation, WAF rules, and restrict network access as temporary mitigations.

Is CVE-2026-6118 being actively exploited?

While no active campaigns are confirmed, the vulnerability is publicly disclosed and potentially exploitable.

Where can I find the official AstrBot advisory for CVE-2026-6118?

Check the AstrBot project's website and GitHub repository for updates and advisories related to CVE-2026-6118.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs