| Titel | AstrBotDevs AstrBot 4.23.6 Use of Default Credentials (CWE-1392) |
|---|
| Beschreibung | # Technical Details
A Use of Default Credentials vulnerability exists in the `login` method in `astrbot/dashboard/routes/auth.py` of AstrBot.
The application fails to enforce the change of hardcoded default dashboard credentials upon installation. The default configuration in `astrbot/core/config/default.py` ships with static credentials (`astrbot` and `77b90590a8945a7d36c963981a307dc9`). Since the `/api/auth/login` endpoint is accessible without authentication, remote attackers can trivially log in using these default credentials.
# Vulnerable Code
File: astrbot/dashboard/routes/auth.py
Method: login
Why: The application directly compares user input against the globally available default credentials defined in the application's config, granting a valid JWT upon match.
# Reproduction
1. Locate an AstrBot instance with the Dashboard enabled.
2. Send an unauthenticated `POST /api/auth/login` request.
3. Supply the JSON payload `{"username": "astrbot", "password": "77b90590a8945a7d36c963981a307dc9"}`.
4. Receive a valid JWT token in the response data and access administrative dashboard features.
# Impact
- Total compromise of the AstrBot dashboard administration interface.
- Unauthorized access to protected APIs enabling configuration modification and potential command execution. |
|---|
| Quelle | ⚠️ https://gist.github.com/YLChen-007/100a54ba05ff265f9045ad3ed7ec78d6 |
|---|
| Benutzer | Eric-a (UID 96353) |
|---|
| Einreichung | 07.05.2026 13:31 (vor 29 Tagen) |
|---|
| Moderieren | 31.05.2026 09:14 (24 days later) |
|---|
| Status | Duplikat |
|---|
| VulDB Eintrag | 360420 [AstrBotDevs AstrBot bis 4.16.0 Dashboard auth.py schwache Authentisierung] |
|---|
| Punkte | 0 |
|---|