AstrBotDevs AstrBot MCP Endpoint tools.py add_mcp_server command injection_CVE-2026-6118

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

Description

A vulnerability was determined in AstrBotDevs AstrBot up to 4.22.1. Impacted is the function add_mcp_server of the file astrbot/dashboard/routes/tools.py of the component MCP Endpoint. This manipulation of the argument command causes command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.

Basic Information

ID CVE-2026-6118

Source VulDB

Published Apr 12, 2026 at 04:45

Affected Product

Vendor AstrBotDevs

Product AstrBot

Version 4.22.0

Affected Versions AstrBotDevs AstrBot 4.22.0
AstrBotDevs AstrBot 4.22.1

CWE Classification

CWE-77 CWE-74

References

{
    "lastseen": "",
    "description": "A vulnerability was determined in AstrBotDevs AstrBot up to 4.22.1. Impacted is the function add_mcp_server of the file astrbot/dashboard/routes/tools.py of the component MCP Endpoint. This manipulation of the argument command causes command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.",
    "published": "2026-04-12T04:45:09.857Z",
    "modified": "2026-04-12T04:45:09.857Z",
    "type": "cve",
    "title": "AstrBotDevs AstrBot MCP Endpoint tools.py add_mcp_server command injection",
    "source": "VulDB",
    "references": "https://vuldb.com/vuln/356978\nhttps://vuldb.com/vuln/356978/cti\nhttps://vuldb.com/submit/792655\nhttps://github.com/AstrBotDevs/AstrBot/issues/7169\nhttps://github.com/AstrBotDevs/AstrBot/",
    "id": "CVE-2026-6118",
    "bulletinFamily": "",
    "cwe": [
        "CWE-77",
        "CWE-74"
    ],
    "cvelist": null,
    "sourceData": "AstrBotDevs AstrBot 4.22.0\nAstrBotDevs AstrBot 4.22.1",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "AstrBot",
    "version": "4.22.0",
    "vendor": "AstrBotDevs",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}