A vulnerability, which was classified as critical, has been found in AstrBotDevs AstrBot up to 4.25.2. Affected is the function
FutureTaskTool.call of the file astrbot/core/tools/cron_tools.py of the component Scheduled Task Handler. Performing a manipulation of the argument payload[“note”] results in improper authorization.
This vulnerability is known as CVE-2026-15499. Remote exploitation of the attack is possible. Furthermore, an exploit is available.
The vendor was contacted early about this disclosure but did not respond in any way.