| शीर्षक | AstrBotDevs AstrBot 4.23.6 Use of Default Credentials (CWE-1392) |
|---|
| विवरण | # Technical Details
A Use of Default Credentials vulnerability exists in the `login` method in `astrbot/dashboard/routes/auth.py` of AstrBot.
The application fails to enforce the change of hardcoded default dashboard credentials upon installation. The default configuration in `astrbot/core/config/default.py` ships with static credentials (`astrbot` and `77b90590a8945a7d36c963981a307dc9`). Since the `/api/auth/login` endpoint is accessible without authentication, remote attackers can trivially log in using these default credentials.
# Vulnerable Code
File: astrbot/dashboard/routes/auth.py
Method: login
Why: The application directly compares user input against the globally available default credentials defined in the application's config, granting a valid JWT upon match.
# Reproduction
1. Locate an AstrBot instance with the Dashboard enabled.
2. Send an unauthenticated `POST /api/auth/login` request.
3. Supply the JSON payload `{"username": "astrbot", "password": "77b90590a8945a7d36c963981a307dc9"}`.
4. Receive a valid JWT token in the response data and access administrative dashboard features.
# Impact
- Total compromise of the AstrBot dashboard administration interface.
- Unauthorized access to protected APIs enabling configuration modification and potential command execution. |
|---|
| स्रोत | ⚠️ https://gist.github.com/YLChen-007/100a54ba05ff265f9045ad3ed7ec78d6 |
|---|
| उपयोगकर्ता | Eric-a (UID 96353) |
|---|
| सबमिशन | 07/05/2026 01:31 PM (30 दिन पहले) |
|---|
| संयम | 31/05/2026 09:14 AM (24 days later) |
|---|
| स्थिति | प्रतिलिपि |
|---|
| VulDB प्रविष्टि | 360420 [AstrBotDevs AstrBot तक 4.16.0 Dashboard auth.py कमजोर प्रमाणीकरण] |
|---|
| अंक | 0 |
|---|