Enviar #791075: SuperAGI up to c3c1982 Authorization Bypass Through User-Controlled Key (CWE-639)información

TítuloSuperAGI up to c3c1982 Authorization Bypass Through User-Controlled Key (CWE-639)
Descripción# Technical Details An Insecure Direct Object Reference (IDOR) exists in the `update_user` method in `superagi/controllers/user.py` of SuperAGI. The application fails to verify that the requesting authenticated user has permission to modify the target user account. The endpoint only validates the JWT token via `Depends(check_auth)` but does not verify that the authenticated user matches the `user_id` in the URL. # Vulnerable Code File: superagi/controllers/user.py Method: update_user (lines 117-144) Why: The endpoint directly queries `User.id == user_id` without checking if the requesting user owns that account or shares the same organization. It then overwrites the victim's name, email, and password with attacker-supplied values. # Reproduction 1. Authenticate with an attacker account and obtain a valid JWT. 2. Change the victim's password (user_id=2, different org): curl -s -X PUT -H "Authorization: Bearer $JWT" -H "Content-Type: application/json" "http://localhost:3000/api/users/update/2" -d '{"name":"Victim","email":"[email protected]","password":"attacker_controlled"}' 3. Log in as the victim using the new password: curl -s -X POST "http://localhost:8001/login" -H "Content-Type: application/json" -d '{"email":"[email protected]","password":"attacker_controlled"}' # Impact - Account Takeover: Attacker changes any user's password and logs in as that user. - Privilege Escalation: If admin users exist, attacker can take over admin accounts. - Data Breach: Full access to victim's agents, API keys, configurations, and execution history.
Fuente⚠️ https://gist.github.com/YLChen-007/79b967ece52d424558f279156dd53324
Usuario
 Eric-z (UID 95890)
Sumisión2026-03-27 12:49 (hace 25 días)
Moderación2026-04-19 07:41 (23 days later)
EstadoAceptado
Entrada de VulDB358219 [TransformerOptimus SuperAGI hasta 0.0.14 User Update Endpoint user.py update_user user_id escalada de privilegios]
Puntos20

AnteriorVisión De ConjuntoPróximo

Do you want to use VulDB in your project?

Use the official API to access entries easily!