| 제목 | AstrBotDevs AstrBot 4.23.6 Use of Default Credentials (CWE-1392) |
|---|
| 설명 | # Technical Details
A Use of Default Credentials vulnerability exists in the `login` method in `astrbot/dashboard/routes/auth.py` of AstrBot.
The application fails to enforce the change of hardcoded default dashboard credentials upon installation. The default configuration in `astrbot/core/config/default.py` ships with static credentials (`astrbot` and `77b90590a8945a7d36c963981a307dc9`). Since the `/api/auth/login` endpoint is accessible without authentication, remote attackers can trivially log in using these default credentials.
# Vulnerable Code
File: astrbot/dashboard/routes/auth.py
Method: login
Why: The application directly compares user input against the globally available default credentials defined in the application's config, granting a valid JWT upon match.
# Reproduction
1. Locate an AstrBot instance with the Dashboard enabled.
2. Send an unauthenticated `POST /api/auth/login` request.
3. Supply the JSON payload `{"username": "astrbot", "password": "77b90590a8945a7d36c963981a307dc9"}`.
4. Receive a valid JWT token in the response data and access administrative dashboard features.
# Impact
- Total compromise of the AstrBot dashboard administration interface.
- Unauthorized access to protected APIs enabling configuration modification and potential command execution. |
|---|
| 원천 | ⚠️ https://gist.github.com/YLChen-007/100a54ba05ff265f9045ad3ed7ec78d6 |
|---|
| 사용자 | Eric-a (UID 96353) |
|---|
| 제출 | 2026. 05. 07. PM 01:31 (1 월 ago) |
|---|
| 모더레이션 | 2026. 05. 31. AM 09:14 (24 days later) |
|---|
| 상태 | 중복 |
|---|
| VulDB 항목 | 360420 [AstrBotDevs AstrBot 까지 4.16.0 Dashboard auth.py 약한 인증] |
|---|
| 포인트들 | 0 |
|---|