CVE-2026-10213 Overview
CVE-2026-10213 is a path traversal vulnerability [CWE-22] in AstrBotDevs AstrBot version 4.23.6. The flaw affects the /api/skills/delete API endpoint, where manipulation of the Name argument allows traversal outside the intended directory. An authenticated remote attacker with low privileges can exploit this issue over the network.
The exploit code has been publicly released, increasing the risk of opportunistic abuse. The vendor was contacted prior to disclosure but did not respond. No vendor patch is currently referenced in the advisory data.
Critical Impact
Authenticated remote attackers can manipulate the Name parameter to delete files outside the intended skills directory, affecting application integrity and availability.
Affected Products
- AstrBotDevs AstrBot 4.23.6
- Component: /api/skills/delete API endpoint
- Vulnerable parameter: Name
Discovery Timeline
- 2026-06-01 - CVE-2026-10213 published to NVD
- 2026-06-01 - Last updated in NVD database
- 2026-06-04 - EPSS score published (0.048%, percentile 15.387)
Technical Details for CVE-2026-10213
Vulnerability Analysis
The vulnerability resides in the /api/skills/delete endpoint of AstrBot 4.23.6. The endpoint accepts a Name parameter intended to identify a skill resource for deletion. The application does not properly validate or sanitize this input before using it to construct a file system path.
An attacker supplying traversal sequences such as ../ in the Name parameter can escape the skills directory. This results in deletion of arbitrary files accessible to the AstrBot process. Authentication is required, but only low privileges are needed to reach the vulnerable handler.
A public proof-of-concept has been released, lowering the barrier to exploitation. Refer to the GitHub PoC Code Snippet for technical details.
Root Cause
The root cause is improper limitation of a pathname to a restricted directory [CWE-22]. The Name argument is concatenated into a file path without canonicalization or allowlist validation. Standard traversal payloads bypass the intended directory boundary.
Attack Vector
The attack is performed remotely over the network against the exposed API endpoint. The attacker submits a crafted HTTP request to /api/skills/delete with a Name value containing directory traversal sequences. Successful exploitation deletes files outside the intended scope, impacting integrity and availability of the AstrBot installation.
No synthetic exploit code is reproduced here. Consult the linked VulDB CVE Details and the public PoC for parameter formatting and request structure.
Detection Methods for CVE-2026-10213
Indicators of Compromise
- HTTP requests to /api/skills/delete containing ../, ..\\, URL-encoded %2e%2e%2f, or other traversal sequences in the Name parameter.
- Unexpected deletion of files outside the AstrBot skills directory, especially configuration, log, or data files.
- Authenticated API sessions originating from unusual source addresses targeting skill management endpoints.
Detection Strategies
- Inspect application and reverse-proxy access logs for POST or DELETE requests to /api/skills/delete with suspicious Name values.
- Deploy web application firewall (WAF) rules that match path traversal signatures on requests to the AstrBot API surface.
- Correlate file deletion events on the host with corresponding HTTP requests using a centralized log platform.
Monitoring Recommendations
- Enable verbose audit logging on the AstrBot process for file system operations, especially unlink and remove syscalls.
- Alert on any non-skills directory file deletion performed by the AstrBot service account.
- Track authentication events for the AstrBot API to detect anomalous low-privileged account activity.
How to Mitigate CVE-2026-10213
Immediate Actions Required
- Restrict network access to the AstrBot API endpoint using firewall rules or reverse-proxy allowlists.
- Revoke or rotate credentials for low-privileged accounts that are not strictly required.
- Disable the /api/skills/delete endpoint via reverse-proxy rules if skill deletion is not operationally required.
Patch Information
No official vendor patch is referenced in the published advisory data. The vendor did not respond to disclosure attempts. Monitor the AstrBot project and the upstream repository for security updates and apply them once released.
Workarounds
- Place AstrBot behind a reverse proxy configured to reject requests containing .., encoded traversal sequences, or absolute paths in query and body parameters.
- Run the AstrBot service under a dedicated low-privilege user with file system permissions limited to the application directory.
- Apply mandatory access control profiles (AppArmor or SELinux) to constrain which files the AstrBot process can delete.
# Example NGINX rule to block traversal payloads against the vulnerable endpoint
location /api/skills/delete {
if ($args ~* "\.\.(/|\\|%2f|%5c)") { return 403; }
if ($request_body ~* "\.\.(/|\\|%2f|%5c)") { return 403; }
proxy_pass http://astrbot_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
