VYPR
← All advisories
Medium severity6.3NVD Advisory· Published Jun 1, 2026

CVE-2026-10212

CVE-2026-10212

Description

AstrBot 4.24.2 suffers from an IDOR via delimiter injection in session handling, allowing authenticated users to rename any other user's session.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

AstrBot 4.24.2 suffers from an IDOR via delimiter injection in session handling, allowing authenticated users to rename any other user's session.

Vulnerability

In AstrBot version 4.24.2, the function astr_main_agent in astrbot/core/astr_main_agent.py performs an unsafe string split on the session_id parameter. The code chatui_session_id = event.session_id.split("!")[-1] extracts the last segment after splitting on the ! character. Because the user-supplied session_id is not validated for containing !, an attacker can inject a delimiter to manipulate the extracted identifier, leading to an Insecure Direct Object Reference (IDOR) vulnerability [1].

Exploitation

An attacker must be authenticated to the AstrBot Dashboard with Live Chat functionality enabled. By sending a crafted WebSocket or WebChat API request with a session_id such as attacker!victim_session_id, the backend incorrectly extracts victim_session_id as the target session. The attacker can then issue a rename command (e.g., //rename) or allow the LLM to auto-generate a title, which updates the platform_sessions.display_name record for the victim's session [1]. The exploit is publicly available.

Impact

A successful attack allows the attacker to arbitrarily rename the display title of any other user's session in the database. This compromises data integrity and breaks user isolation, as session metadata can be modified without authorization. No further privilege escalation or data disclosure is described in the available references [1].

Mitigation

The vendor was contacted but did not respond, and no official fix or workaround has been released as of the publication date. Users are advised to restrict access to the Dashboard, disable Live Chat functionality if not required, or implement input validation on the session_id parameter to reject the ! character. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog [1].

References
  1. IDOR via Delimiter Injection allows Session Renaming of any user

AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • AstrBotDevs/Astrbotinferred2 versions
    = 4.24.2+ 1 more
    • (no CPE)range: = 4.24.2
    • (no CPE)range: = 4.24.2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Unsafe string splitting on attacker-controlled session_id allows delimiter injection, bypassing authorization when updating session titles."

Attack vector

An authenticated attacker sends a crafted WebSocket message to `/api/unified_chat/ws` with a `session_id` parameter containing the `!` delimiter followed by a known victim session ID (e.g., `attacker!victim_session_id`). The server concatenates this with adapter and username prefixes using `!` as a delimiter, then extracts the last segment via `.split("!")[-1]`, which yields the victim's session ID instead of the attacker's. The attacker then sends a `//rename` command, causing the server to update the victim's session display name. This is an Insecure Direct Object Reference (IDOR) via delimiter injection [CWE-639] [ref_id=1].

Affected code

The vulnerability is in `astrbot/core/astr_main_agent.py` at the function `astr_main_agent`. The unsafe line `chatui_session_id = event.session_id.split("!")[-1]` extracts the session ID by splitting on the `!` delimiter and taking the last segment, which an attacker can manipulate. The code path then uses this extracted ID to update the `platform_sessions.display_name` record, allowing unauthorized modification of another user's session title.

What the fix does

The advisory does not include a patch, but the root cause is the unsafe `event.session_id.split("!")[-1]` operation that trusts attacker-controlled input. A proper fix would validate that the user-supplied `session_id` does not contain the `!` delimiter before concatenation, or use a more robust method to associate the session with the authenticated user rather than extracting it from the split string. The vendor was contacted but did not respond.

Preconditions

  • authThe attacker must be able to log in to the AstrBot Dashboard via /api/auth/login to obtain an authentication token.
  • inputThe target's session_id (e.g., a UUID) must be known, enumerated, or observable.
  • configThe AstrBot instance must have Dashboard/Live Chat functionality enabled.

Reproduction

Download the PoC scripts from the advisory (fake_openai_server.py, poc_exploit.py, control-normal_session_id.py). Start a local AstrBot instance connected to the fake OpenAI server. Run `python3 poc_exploit.py` — it logs in, creates a victim session, connects to the WebSocket at `/api/unified_chat/ws`, and sends a message with `session_id` set to `attacker!{victim_session_id}` and `message` set to `//rename EXPLOIT_RENAMED`. Verify in the SQLite database that the victim's `display_name` changed to `EXPLOIT_RENAMED`.

Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.