Submit #791087: SuperAGI up to c3c1982 Missing Authorization (CWE-862)info

TitelSuperAGI up to c3c1982 Missing Authorization (CWE-862)
Beschreibung# Technical Details A Missing Authorization vulnerability exists in the `update_vector_db` function in `superagi/controllers/vector_dbs.py` of SuperAGI. The application fails to enforce any authentication on the `PUT /vector_dbs/update/vector_db/{vector_db_id}` endpoint. An unauthenticated attacker can modify the vector indices of any Vector DB — sending an empty list `[]` will delete all existing indices, permanently destroying the knowledge base links. # Vulnerable Code File: superagi/controllers/vector_dbs.py (lines 124-145) Method: update_vector_db Why: The route is registered without any `Depends(check_auth)` dependency. The function compares the incoming `new_indices` list with existing indices and deletes any index not present in the new list. This means sending an empty list `[]` deletes ALL indices. The destructive deletion executes even when adding new indices fails (partial execution). # Reproduction 1. Ensure SuperAGI is running with a Vector DB that has at least one index configured. 2. Send an unauthenticated PUT request with an empty list to delete all indices: curl -X PUT http://TARGET:3000/vector_dbs/update/vector_db/1 -H "Content-Type: application/json" -d '[]' 3. Verify all indices are deleted: curl -s http://TARGET:3000/vector_dbs/db/details/1 # Response shows "indices": [] # Impact - Data Deletion: Sending an empty new_indices list removes all vector indices, destroying the mapping between the Vector DB and stored knowledge. - Knowledge Base Poisoning: Attacker can silently replace legitimate indices with attacker-controlled ones, changing what knowledge agents retrieve. - Silent Corruption: Index modifications do not leave obvious traces, making detection difficult. - No authentication or authorization is required.
Quelle⚠️ https://gist.github.com/YLChen-007/483eda5347002e09409e2d9c2f4fece4
Benutzer
 Eric-y (UID 95889)
Einreichung27.03.2026 13:07 (vor 24 Tagen)
Moderieren20.04.2026 07:36 (24 days later)
StatusDuplikat
VulDB Eintrag358217 [TransformerOptimus SuperAGI bis 0.0.14 Vector Database Management Endpoint vector_dbs.py schwache Authentisierung]
Punkte0

ZurückÜbersichtWeiter

Might our Artificial Intelligence support you?

Check our Alexa App!