Soumettre #852863: AstrBotDevs AstrBot <= 4.25.5 Authorization Bypass Through User-Controlled Key (CWE-639)information

TitreAstrBotDevs AstrBot <= 4.25.5 Authorization Bypass Through User-Controlled Key (CWE-639)
Description# Technical Details An authorization bypass exists in the `OpenApiRoute.get_chat_sessions` method in `astrbot/dashboard/routes/open_api.py` of AstrBot. The application authenticates OpenAPI callers with an API key and stores the trusted principal in `g.username`, but the session-listing endpoint ignores that server-derived identity and instead trusts the caller-controlled `username` query parameter as the database ownership filter. # Vulnerable Code File: `astrbot/dashboard/server.py` Method: OpenAPI API-key middleware Why: The middleware correctly validates the API key and sets `g.username = f"api_key:{api_key.key_id}"`, creating a trusted authenticated principal. File: `astrbot/dashboard/routes/open_api.py` Method: `OpenApiRoute.get_chat_sessions` Why: The endpoint resolves `request.args.get("username")` and passes the attacker-controlled value as `creator=username` to `self.db.get_platform_sessions_by_creator_paginated(...)`, so a `chat`-scope API key holder can enumerate sessions owned by another user. # Reproduction 1. Run AstrBot `<= 4.25.5` with the dashboard/OpenAPI service enabled. 2. Log into `/api/auth/login` and create a valid OpenAPI key with `chat` scope via `/api/apikey/create`. 3. Create or identify a victim-owned WebChat session, for example under `dashboard-admin`. 4. Send `GET /api/v1/chat/sessions?username=dashboard-admin&page=1&page_size=20&platform_id=webchat` with header `X-API-Key: <chat-scope-api-key>`. 5. Observe that the response includes session IDs and metadata belonging to the supplied `username`. 6. Change only `username` to an unrelated user and observe that the session list becomes empty, confirming the leak depends on the caller-controlled key. # Impact - Any holder of a `chat`-scope API key can enumerate WebChat sessions belonging to other users by supplying their usernames. - Exposed data includes session identifiers, platform identifiers, creator names, display names, and creation/update timestamps. - The leaked session metadata can support follow-on attacks against endpoints that accept `session_id`, `username`, or related routing identity values.
La source⚠️ https://gist.github.com/YLChen-007/5fee3adfd95333b0f4eff8165af61f81
Utilisateur Eric-d (UID 96861)
Soumission09/06/2026 12:05 (il y a 1 mois)
Modérer17/07/2026 15:39 (1 month later)
StatutAccepté
Entrée VulDB379790 [AstrBotDevs AstrBot jusqu’à 4.25.5 session-listing Endpoint open_api.py OpenApiRoute.get_chat_sessions Nom d'utilisateur élévation de privilèges]
Points20

Want to stay up to date on a daily basis?

Enable the mail alert feature now!