Primary

Context

AstrBot Hardcoded JWT Secret Vulnerability Allowing Remote Code Execution

Vulnerability

A vulnerability exists in AstrBot versions through 3.5.15, where a hardcoded private key is used to sign JSON Web Tokens (JWT). This exposure allows for unauthorized plugin uploads, which can lead to remote code execution.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where AstrBot is running.

Reproduction

To reproduce this vulnerability, upload a malicious plugin that exploits the hardcoded JWT secret. This can be done by sending a request to the AstrBot server with the crafted JWT that includes the signed payload using the exposed secret. The server will then execute the code in the uploaded plugin, resulting in remote code execution.

Added: May 8, 2026, 7:27 AM

Updated: May 8, 2026, 7:27 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.7

remediation

0.0

relevance

7.8

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.7

remediation

0.0

relevance

7.8

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

AstrBot Hardcoded JWT Secret Vulnerability Allowing Remote Code Execution

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating