إرسال #791087: SuperAGI up to c3c1982 Missing Authorization (CWE-862)المعلومات

عنوانSuperAGI up to c3c1982 Missing Authorization (CWE-862)
الوصف# Technical Details A Missing Authorization vulnerability exists in the `update_vector_db` function in `superagi/controllers/vector_dbs.py` of SuperAGI. The application fails to enforce any authentication on the `PUT /vector_dbs/update/vector_db/{vector_db_id}` endpoint. An unauthenticated attacker can modify the vector indices of any Vector DB — sending an empty list `[]` will delete all existing indices, permanently destroying the knowledge base links. # Vulnerable Code File: superagi/controllers/vector_dbs.py (lines 124-145) Method: update_vector_db Why: The route is registered without any `Depends(check_auth)` dependency. The function compares the incoming `new_indices` list with existing indices and deletes any index not present in the new list. This means sending an empty list `[]` deletes ALL indices. The destructive deletion executes even when adding new indices fails (partial execution). # Reproduction 1. Ensure SuperAGI is running with a Vector DB that has at least one index configured. 2. Send an unauthenticated PUT request with an empty list to delete all indices: curl -X PUT http://TARGET:3000/vector_dbs/update/vector_db/1 -H "Content-Type: application/json" -d '[]' 3. Verify all indices are deleted: curl -s http://TARGET:3000/vector_dbs/db/details/1 # Response shows "indices": [] # Impact - Data Deletion: Sending an empty new_indices list removes all vector indices, destroying the mapping between the Vector DB and stored knowledge. - Knowledge Base Poisoning: Attacker can silently replace legitimate indices with attacker-controlled ones, changing what knowledge agents retrieve. - Silent Corruption: Index modifications do not leave obvious traces, making detection difficult. - No authentication or authorization is required.
المصدر⚠️ https://gist.github.com/YLChen-007/483eda5347002e09409e2d9c2f4fece4
المستخدم
 Eric-y (UID 95889)
ارسال27/03/2026 01:07 PM (25 أيام منذ)
الاعتدال20/04/2026 07:36 AM (24 days later)
الحالةمكرر
إدخال VulDB358217 [TransformerOptimus SuperAGI حتى 0.0.14 Vector Database Management Endpoint vector_dbs.py توثيق ضعيف]
النقاط0

التالي نظرة عامة السابق

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!