Submit #791086: SuperAGI up to c3c1982 Missing Authorization (CWE-862)info

TitelSuperAGI up to c3c1982 Missing Authorization (CWE-862)
Beschreibung# Technical Details A Missing Authorization vulnerability exists in the `delete_vector_db` function in `superagi/controllers/vector_dbs.py` of SuperAGI. The application fails to enforce any authentication on the `POST /vector_dbs/delete/{vector_db_id}` endpoint. Any unauthenticated attacker can permanently delete any Vector DB by its integer ID, triggering a cascading deletion of all associated indices, configurations, and knowledge entries. # Vulnerable Code File: superagi/controllers/vector_dbs.py (lines 52-62) Method: delete_vector_db Why: The route is registered without any `Depends(check_auth)` or `Depends(get_user_organisation)` dependency. The deletion cascades through: all `knowledges` entries, `vector_db_indices` records, `vector_db_configs` records (including stored API keys), and the `vector_dbs` record itself — it is irreversible. # Reproduction 1. Ensure SuperAGI is running with at least one Vector DB configured. 2. Send an unauthenticated delete request: curl -X POST http://TARGET:3000/vector_dbs/delete/1 3. Verify the DB is permanently deleted: curl -s http://TARGET:3000/vector_dbs/db/details/1 # Returns 500 Internal Server Error # Impact - Denial of Service: Agents that rely on the deleted Vector DB for knowledge retrieval will fail permanently. - Data Loss: All vector DB configurations, indices, and knowledge entries are cascade-deleted. - Mass Destruction: Since IDs are sequential integers, an attacker can loop through IDs to destroy all Vector DBs on the platform. - No authentication or authorization is required.
Quelle⚠️ https://gist.github.com/YLChen-007/01a0b6ec2418a2f4e278b82bdd29b368
Benutzer
 Eric-y (UID 95889)
Einreichung27.03.2026 13:06 (vor 25 Tagen)
Moderieren20.04.2026 07:36 (24 days later)
StatusDuplikat
VulDB Eintrag358217 [TransformerOptimus SuperAGI bis 0.0.14 Vector Database Management Endpoint vector_dbs.py schwache Authentisierung]
Punkte0

ZurückÜbersichtWeiter

Do you know our Splunk app?

Download it now for free!