CVE-2026-8754 Unknown Vendor CVE debrief

Who should care

Administrators and operators running AstrBot up to 4.23.5, especially if the dashboard or upload functionality is reachable from untrusted networks or by users who should not be able to control upload filenames.

Technical summary

The vulnerability is described as a CWE-22 path traversal issue in the file upload handler. The affected code path is post_file in astrbot/dashboard/routes/chat.py, where unsafely handled filename input can lead to traversal outside the intended directory. The source corpus identifies commit aaec41e5054569ceaa1113593a34da7568e2d211 and release v4.23.6 as the remediation reference.

Defensive priority

Low CVSS score, but patch promptly because the issue is remotely reachable and the source record indicates a public exploit. Prioritize systems that expose the dashboard or file upload route.

Recommended defensive actions

• Upgrade AstrBot to version 4.23.6 or later.
• Review any deployments still on 4.23.5 or earlier and schedule immediate remediation.
• Restrict access to dashboard and upload endpoints until patched, especially on internet-facing systems.
• Validate that uploaded filenames are normalized and constrained to intended directories in any local customizations or forks.
• Monitor for abnormal file-write behavior around the AstrBot upload workflow after exposure.

Evidence notes

All claims are drawn from the supplied record and its listed references. The record states: affected versions are up to 4.23.5, the issue is in post_file within astrbot/dashboard/routes/chat.py, the input involved is filename, the weakness class is CWE-22, a public exploit is noted, and 4.23.6 plus commit aaec41e5054569ceaa1113593a34da7568e2d211 are the fix references. The vendor mapping in the supplied data is low confidence, so product identification should be treated as source-driven rather than fully normalized.

Official resources