VYPR
← All advisories
Medium severity6.3NVD Advisory· Published Jun 1, 2026

CVE-2026-10210

CVE-2026-10210

Description

AstrBot 4.23.6 fails to sanitize skill descriptions for locally uploaded skills, allowing authenticated attackers to inject arbitrary instructions into the LLM system prompt.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

AstrBot 4.23.6 fails to sanitize skill descriptions for locally uploaded skills, allowing authenticated attackers to inject arbitrary instructions into the LLM system prompt.

Vulnerability

AstrBot 4.23.6 contains a system prompt injection vulnerability in the build_skills_prompt() function within astrbot/core/skills/skill_manager.py. The _sanitize_prompt_description() method strips backticks, control characters, and collapses whitespace, but it is only called when skill.source_type == "sandbox_only". Skills uploaded via the dashboard API (source type local_only) bypass this sanitization entirely, allowing malicious multiline payloads—including markdown code fences and newlines—to break out of the skill description context and appear as standalone system-level directives [1].

Exploitation

An authenticated attacker with access to the AstrBot dashboard can upload a crafted skill ZIP archive via POST /api/skills/upload. The archive contains a SKILL.md file whose YAML frontmatter description field includes a prompt injection payload (e.g., using newlines and backticks to simulate a system instruction). When any user initiates a conversation, the unsanitized description is embedded directly into the LLM system prompt, causing the injected instructions to be followed [1].

Impact

Successful exploitation allows the attacker to inject arbitrary instructions into the LLM system prompt. This can lead to data exfiltration, unauthorized actions performed by the LLM, or other compromises depending on the capabilities granted to the model. The attacker gains the ability to control the LLM's behavior at the system level, potentially affecting all conversations that include the malicious skill [1].

Mitigation

As of the publication date (2026-06-01), the vendor has not responded to the disclosure and no official fix is available. Users should restrict skill upload privileges to trusted administrators only, or manually apply the sanitization logic to all skill types by modifying the build_skills_prompt() function to call _sanitize_prompt_description() regardless of source_type. No workaround is provided by the vendor [1].

References
  1. System Prompt Injection via Unsanitized Local Skill Description in build_skills_prompt()

AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • AstrBotDevs/Astrbotinferred2 versions
    = 4.23.6+ 1 more
    • (no CPE)range: = 4.23.6
    • (no CPE)range: = 4.23.6

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing conditional sanitization: `_sanitize_prompt_description()` is only applied to `sandbox_only` skills, leaving `local_only` skill descriptions unsanitized before embedding into the LLM system prompt."

Attack vector

An authenticated attacker uploads a crafted skill ZIP archive containing a `SKILL.md` file with a YAML literal block scalar (`|`) in the description field, preserving newlines and backticks. The `build_skills_prompt()` function embeds this unsanitized description into the LLM system prompt, allowing multiline injection payloads to break out of the markdown list-item context and appear as standalone system-level directives [CWE-74]. The attack is performed remotely via the dashboard's `POST /api/skills/upload` endpoint and requires only valid dashboard credentials (factory defaults are hardcoded) [ref_id=1].

Affected code

The vulnerability is in `astrbot/core/skills/skill_manager.py`, specifically in `build_skills_prompt()` (lines 209-213) which only calls `_sanitize_prompt_description()` when `skill.source_type == "sandbox_only"`, leaving `local_only` skill descriptions unsanitized. The upload path is in `astrbot/dashboard/routes/skills.py` (line 157) and the unsanitized prompt is injected into `req.system_prompt` in `astrbot/core/astr_main_agent.py` (line 421).

What the fix does

The patch must extend the sanitization call in `build_skills_prompt()` to apply `_sanitize_prompt_description()` to all skill types, not only `sandbox_only`. The existing `_sanitize_prompt_description()` function already strips backticks, removes control characters, and collapses whitespace/newlines to single spaces — which would neutralize the YAML block-scalar injection. No official patch has been published by the vendor as of the advisory [ref_id=1].

Preconditions

  • authValid dashboard credentials (factory defaults: astrbot / 77b90590a8945a7d36c963981a307dc9)
  • configAstrBot instance running with dashboard enabled (default configuration)
  • networkNetwork access to the AstrBot dashboard API endpoint
  • inputAbility to upload a ZIP archive containing a crafted SKILL.md file

Reproduction

1. Start AstrBot via Docker Compose (`docker compose up -d`). 2. Authenticate to the dashboard via `POST /api/auth/login` with default credentials. 3. Create a ZIP archive containing a `SKILL.md` with a YAML literal block scalar (`|`) description containing injection payload (e.g., `IGNORE ALL PREVIOUS INSTRUCTIONS...`). 4. Upload the ZIP via `POST /api/skills/upload`. 5. Verify the unsanitized description appears in the generated system prompt, breaking out of the markdown list-item context [ref_id=1].

Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.