CVE-2024-9447 in superagi
Summary
by MITRE • 03/20/2025
An information disclosure vulnerability exists in the latest version of transformeroptimus/superagi. The `/get/organisation/` endpoint does not verify the user's organization, allowing any authenticated user to retrieve sensitive configuration details, including API keys, of any organization. This could lead to unauthorized access to services and significant data breaches or financial loss.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/29/2025
The vulnerability described in CVE-2024-9447 represents a critical authorization flaw within the transformeroptimus/superagi platform that fundamentally undermines the security boundaries between organizations. This issue manifests through the `/get/organisation/` endpoint which fails to implement proper organization validation checks, creating a path for authenticated users to bypass intended access controls and obtain sensitive information belonging to other organizations within the same system. The flaw directly violates core security principles of least privilege and separation of concerns, as it allows users to escalate their privileges beyond their intended organizational boundaries through simple API requests.
From a technical perspective, this vulnerability constitutes a classic case of insufficient authorization checking, classified as CWE-285 within the CWE taxonomy. The system's failure to validate whether an authenticated user belongs to the organization they are attempting to access creates an information disclosure vulnerability that can be exploited through straightforward means. The endpoint does not perform any form of user-organization relationship verification, meaning that any authenticated session can potentially retrieve configuration data, including API keys, database credentials, and other sensitive operational details from any organization within the platform's scope. This type of vulnerability often stems from inadequate input validation and missing access control mechanisms that should enforce organizational boundaries at the application level.
The operational impact of this vulnerability extends far beyond simple data exposure, as it creates opportunities for cascading security incidents that can result in significant financial losses and operational disruption. When authenticated users can access configuration details from other organizations, they gain potential access to interconnected systems, service credentials, and infrastructure components that may provide pathways to additional resources within the broader ecosystem. The exposure of API keys through this vulnerability could enable attackers to compromise external services, access cloud resources, or exploit other systems that rely on the exposed credentials, making this a particularly dangerous flaw in multi-tenant environments. This vulnerability aligns with ATT&CK technique T1078.004 which focuses on valid accounts with insufficient permissions, as it allows users to leverage their authenticated status to access unauthorized resources.
Organizations utilizing this platform face substantial risks when this vulnerability remains unpatched, including potential regulatory compliance violations, reputational damage, and financial losses from unauthorized access to sensitive data. The attack surface expands significantly as the vulnerability allows for reconnaissance activities that can reveal organizational structures, service dependencies, and security configurations that attackers can use to plan more sophisticated attacks. Security teams must consider this vulnerability as part of their broader threat modeling exercises, particularly in environments where multiple organizations share the same platform instance. The remediation process requires implementing robust access control checks at the endpoint level, ensuring that each request is validated against the user's organizational affiliation before any sensitive data is returned. This includes implementing proper session validation, organization-based access controls, and thorough input sanitization to prevent any form of parameter tampering or bypass attempts that might exploit similar authorization gaps in other parts of the application.