Vulnerability  ·  2026-07-13

AstrBot MCP Test Endpoint SSRF via mcp_server_config.url

VulnerabilityMedium impactGlobalCVE-2026-15501
AstrBot's MCP Test Endpoint accepts an unvalidated URL for testing MCP server connectivity, letting an authenticated user coerce the server into making requests against internal-only endpoints (SSRF).
AstrBot is an AI chatbot/agent framework with MCP integration; SSRF via its MCP test feature could expose internal services or cloud metadata endpoints reachable from the AstrBot host, though the blast radius is limited to authenticated users and a single niche framework.
The ToolsRoute.test_mcp_connection function in astrbot/dashboard/routes/tools.py fails to validate the mcp_server_config.url argument, allowing an authenticated attacker to make the AstrBot server issue HTTP requests to internal infrastructure via the MCP connection-test feature.
AstrBotDevs AstrBot up to 4.25.2
Upgrade AstrBot beyond 4.25.2 when a fix is released; restrict access to the dashboard/MCP test endpoint and validate/allowlist target URLs for MCP connection tests.
basefortify.eu CVE reportSecNews.gr
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →