CVE-2026-10210 Overview
CVE-2026-10210 affects AstrBotDevs AstrBot version 4.23.6. The flaw resides in the _sanitize_prompt_description function within astrbot/core/skills/skill_manager.py. An attacker can manipulate input to trigger an injection condition [CWE-74] over the network with low privileges and no user interaction. A public exploit has been released, and the vendor was contacted prior to disclosure but did not respond. The weakness allows tampering with prompt content processed by the skill manager, affecting confidentiality, integrity, and availability at a limited scope.
Critical Impact
Remote attackers with low privileges can inject crafted content into skill prompt descriptions, influencing downstream LLM behavior handled by AstrBot.
Affected Products
- AstrBotDevs AstrBot 4.23.6
- Component: astrbot/core/skills/skill_manager.py
- Function: _sanitize_prompt_description
Discovery Timeline
- 2026-06-01 - CVE-2026-10210 published to NVD
- 2026-06-01 - Last updated in NVD database
Technical Details for CVE-2026-10210
Vulnerability Analysis
The vulnerability is an improper neutralization of special elements [CWE-74] in the _sanitize_prompt_description function of AstrBot's skill manager. The function fails to properly sanitize prompt description input before it is consumed by downstream processing. An attacker reaches the sink remotely, requiring only low privileges and no user interaction. Successful exploitation lets the attacker inject crafted directives into prompt content handled by the bot.
Because AstrBot orchestrates large language model (LLM) skills, injection into prompt descriptions can alter model behavior, leak intermediate context, or chain into adjacent skill logic. A public proof-of-concept exists on GitHub Gist, increasing the likelihood of opportunistic abuse against exposed AstrBot deployments.
Root Cause
The root cause is insufficient input neutralization inside _sanitize_prompt_description. The sanitizer does not strip or escape characters and sequences that carry semantic meaning to the prompt parser or downstream LLM. Attacker-controlled strings therefore flow into a context where they are interpreted as instructions rather than data.
Attack Vector
The attack is performed remotely against a network-reachable AstrBot instance. The attacker submits a malicious prompt description through an interface that invokes the skill manager. The unsanitized payload is then processed, achieving injection within the skill prompt handling path. See the GitHub Gist PoC and the VulDB CVE-2026-10210 entry for technical specifics.
No verified exploit code is reproduced here; refer to the public references for sanitized technical details.
Detection Methods for CVE-2026-10210
Indicators of Compromise
- Unexpected or malformed entries in skill prompt descriptions stored by AstrBot
- Inbound HTTP requests to AstrBot management or skill registration endpoints carrying control characters, delimiter sequences, or embedded instructions targeting prompt context
- Outbound LLM API calls containing prompt content inconsistent with administrator-configured skills
Detection Strategies
- Audit calls to _sanitize_prompt_description and log raw input alongside sanitized output for offline comparison
- Inspect skill registration and update traffic for injection markers such as instruction overrides, role tokens, or escape sequences
- Correlate authenticated low-privilege user activity with subsequent anomalous skill behavior or prompt content changes
Monitoring Recommendations
- Forward AstrBot application and access logs to a central analytics platform and alert on edits to skill prompt fields by non-administrator accounts
- Monitor for execution of skills whose prompt descriptions changed within a short window before invocation
- Track outbound LLM traffic volume and content shape to flag deviations consistent with prompt injection
How to Mitigate CVE-2026-10210
Immediate Actions Required
- Restrict network exposure of AstrBot 4.23.6 instances to trusted users and networks only
- Revoke or scope down low-privilege accounts that can submit or modify skill prompt descriptions
- Review existing skill prompt descriptions for unauthorized modifications and revert suspicious entries
Patch Information
At the time of publication, no vendor patch is referenced in the NVD entry. The vendor did not respond to the disclosure. Track the VulDB Vulnerability #367489 record and the AstrBot project for fix availability.
Workarounds
- Add an application-layer input filter that rejects control characters and known prompt-injection delimiters before they reach _sanitize_prompt_description
- Enforce strict allowlists for characters permitted in skill prompt descriptions
- Require administrator review for any creation or modification of skill prompts in production environments
- Place AstrBot behind an authenticating reverse proxy and disable anonymous or low-trust skill submission paths
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
