| 标题 | AstrBotDevs AstrBot 4.23.6 Use of Default Credentials (CWE-1392) |
|---|
| 描述 | # Technical Details
A Use of Default Credentials vulnerability exists in the `login` method in `astrbot/dashboard/routes/auth.py` of AstrBot.
The application fails to enforce the change of hardcoded default dashboard credentials upon installation. The default configuration in `astrbot/core/config/default.py` ships with static credentials (`astrbot` and `77b90590a8945a7d36c963981a307dc9`). Since the `/api/auth/login` endpoint is accessible without authentication, remote attackers can trivially log in using these default credentials.
# Vulnerable Code
File: astrbot/dashboard/routes/auth.py
Method: login
Why: The application directly compares user input against the globally available default credentials defined in the application's config, granting a valid JWT upon match.
# Reproduction
1. Locate an AstrBot instance with the Dashboard enabled.
2. Send an unauthenticated `POST /api/auth/login` request.
3. Supply the JSON payload `{"username": "astrbot", "password": "77b90590a8945a7d36c963981a307dc9"}`.
4. Receive a valid JWT token in the response data and access administrative dashboard features.
# Impact
- Total compromise of the AstrBot dashboard administration interface.
- Unauthorized access to protected APIs enabling configuration modification and potential command execution. |
|---|
| 来源 | ⚠️ https://gist.github.com/YLChen-007/100a54ba05ff265f9045ad3ed7ec78d6 |
|---|
| 用户 | Eric-a (UID 96353) |
|---|
| 提交 | 2026-05-07 13時31分 (28 日前) |
|---|
| 管理 | 2026-05-31 09時14分 (24 days later) |
|---|
| 状态 | 重复 |
|---|
| VulDB条目 | 360420 [AstrBotDevs AstrBot 直到 4.16.0 Dashboard auth.py 弱身份验证] |
|---|
| 积分 | 0 |
|---|