| Titre | AstrBotDevs AstrBot 4.23.6 Use of Default Credentials (CWE-1392) |
|---|
| Description | # Technical Details
A Use of Default Credentials vulnerability exists in the `login` method in `astrbot/dashboard/routes/auth.py` of AstrBot.
The application fails to enforce the change of hardcoded default dashboard credentials upon installation. The default configuration in `astrbot/core/config/default.py` ships with static credentials (`astrbot` and `77b90590a8945a7d36c963981a307dc9`). Since the `/api/auth/login` endpoint is accessible without authentication, remote attackers can trivially log in using these default credentials.
# Vulnerable Code
File: astrbot/dashboard/routes/auth.py
Method: login
Why: The application directly compares user input against the globally available default credentials defined in the application's config, granting a valid JWT upon match.
# Reproduction
1. Locate an AstrBot instance with the Dashboard enabled.
2. Send an unauthenticated `POST /api/auth/login` request.
3. Supply the JSON payload `{"username": "astrbot", "password": "77b90590a8945a7d36c963981a307dc9"}`.
4. Receive a valid JWT token in the response data and access administrative dashboard features.
# Impact
- Total compromise of the AstrBot dashboard administration interface.
- Unauthorized access to protected APIs enabling configuration modification and potential command execution. |
|---|
| La source | ⚠️ https://gist.github.com/YLChen-007/100a54ba05ff265f9045ad3ed7ec78d6 |
|---|
| Utilisateur | Eric-a (UID 96353) |
|---|
| Soumission | 07/05/2026 13:31 (il y a 28 jours) |
|---|
| Modérer | 31/05/2026 09:14 (24 days later) |
|---|
| Statut | Dupliqué |
|---|
| Entrée VulDB | 360420 [AstrBotDevs AstrBot jusqu’à 4.16.0 Dashboard auth.py authentification faible] |
|---|
| Points | 0 |
|---|