VYPR
← All advisories
Medium severity6.3NVD Advisory· Published Jun 1, 2026

CVE-2026-10211

CVE-2026-10211

Description

AstrBot 4.23.6 has an authorization flaw in file write/edit tools allowing non-admin users to write arbitrary files to skill directories, enabling skill injection and potential RCE.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

AstrBot 4.23.6 has an authorization flaw in file write/edit tools allowing non-admin users to write arbitrary files to skill directories, enabling skill injection and potential RCE.

Vulnerability

The vulnerability resides in the _normalize_rw_path function in astrbot/core/tools/computer_tools/fs.py of AstrBot 4.23.6. This function is reused for both read and write/edit workflows, but it only checks paths against _read_allowed_roots, which includes the global skills path intended for read access. As a result, restricted (non-admin) users can supply absolute paths to FileWriteTool.call or FileEditTool.call and bypass authorization, allowing writes to skill directories.

Exploitation

An attacker needs network access to the AstrBot instance and a non-admin user account. The exploit involves supplying an absolute path such as .../data/skills/malicious/SKILL.md to the file write or edit tool. Because _normalize_rw_path only verifies membership in _read_allowed_roots, the path passes authorization. The exploit has been publicly disclosed [1].

Impact

Successful exploitation allows an attacker to write arbitrary files into globally shared skill directories. This can lead to persistent malicious skill injection. When the injected skill is loaded or invoked, it may result in remote code execution, compromising the confidentiality, integrity, and availability of the system [1].

Mitigation

As of the publication date, no fix has been released; the vendor did not respond to disclosure. Users should restrict access to the file write and edit tools for non-admin users, or disable them entirely if not needed. Monitor for any future patches from the vendor.

References
  1. Non-admin Arbitrary File Write via Path-Authorization Mismatch in astrbot_file_write_tool / astrbot_file_edit_tool

AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • AstrBotDevs/Astrbotinferred2 versions
    = 4.23.6+ 1 more
    • (no CPE)range: = 4.23.6
    • (no CPE)range: = 4.23.6

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The write/edit authorization check reuses the read-allowed roots list, so a restricted user can write arbitrary files into globally shared skill directories by supplying an absolute path."

Attack vector

An authenticated non-admin attacker sends a chat message that triggers a filesystem tool call (FileWriteTool or FileEditTool) with an absolute path pointing to a globally shared skill directory (e.g., `data/skills/malicious/SKILL.md`). Because `_normalize_rw_path` only checks membership in the read-allowed roots, the write is permitted even though the user should not have write access to that directory. This allows the attacker to inject a malicious skill, which can lead to remote code execution when the skill is loaded or invoked. The attack is remote and requires only low-privilege authentication [ref_id=1].

Affected code

The vulnerability resides in `astrbot/core/tools/computer_tools/fs.py`. The function `_normalize_rw_path` reuses the read-allowed roots list (which includes `data/skills`) for write and edit operations, and `_resolve_tool_path` accepts absolute paths without restriction. Both `FileWriteTool.call` and `FileEditTool.call` rely on `_normalize_rw_path`, so a restricted user can supply an absolute path such as `.../data/skills/malicious/SKILL.md` and bypass authorization.

What the fix does

The advisory does not provide a patch; the vendor did not respond. The recommended fix would be to introduce a separate write-allowed roots list distinct from the read-allowed roots, and to have `_normalize_rw_path` (or a dedicated write-path function) enforce membership in that write-allow list. Additionally, `_resolve_tool_path` should reject or sanitize absolute paths when the caller is restricted, or the write tools should validate that the resolved path falls within a writable workspace rather than a read-only skill directory [ref_id=1].

Preconditions

  • authAttacker must have a valid non-admin session on the AstrBot dashboard.
  • networkThe AstrBot server must be reachable over the network (e.g., at http://127.0.0.1:6185).
  • configThe filesystem tools (FileWriteTool, FileEditTool) must be available in the local runtime toolchain.
  • inputAttacker supplies an absolute path as the tool argument, bypassing workspace-jail assumptions.

Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.