| عنوان | SuperAGI up to c3c1982 Missing Authentication for Critical Function (CWE-306) |
|---|
| الوصف | # Technical Details
A Unauthenticated Access to Vector Database Management Endpoints exists in the `get_vector_db_details` and `delete_vector_db` methods in `superagi/controllers/vector_dbs.py` of SuperAGI.
The application fails to authenticate requests for sensitive vector database management endpoints, lacking the `Depends(check_auth)` or `Depends(get_user_organisation)` dependencies.
# Vulnerable Code
File: superagi/controllers/vector_dbs.py
Method: get_vector_db_details, delete_vector_db, update_vector_db
Why: The endpoints do not have authentication dependencies, allowing any unauthenticated attacker to read Vector DB configurations (including API keys), delete Vector DBs and all associated knowledge data, or modify Vector DB indices.
# Reproduction
1. List all Vector DBs: curl -s "http://localhost:3000/api/vector_dbs/get/list"
2. Get Vector DB details: curl -s "http://localhost:3000/api/vector_dbs/db/details/1"
3. Delete a Vector DB: curl -s -X POST "http://localhost:3000/api/vector_dbs/delete/1"
# Impact
- API Key Theft: Vector DB configs contain API keys for Pinecone, Qdrant, or Weaviate services.
- Data Destruction: Deleting a Vector DB cascades to all associated indices and knowledge data.
- Service Disruption: Modifying indices can corrupt the vector search functionality.
|
|---|
| المصدر | ⚠️ https://gist.github.com/YLChen-007/f38b32a9cd0c9722e04a716ca4dbf9d5 |
|---|
| المستخدم | Eric-z (UID 95890) |
|---|
| ارسال | 27/03/2026 12:46 PM (24 أيام منذ) |
|---|
| الاعتدال | 19/04/2026 07:40 AM (23 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 358217 [TransformerOptimus SuperAGI حتى 0.0.14 Vector Database Management Endpoint vector_dbs.py توثيق ضعيف] |
|---|
| النقاط | 20 |
|---|