| शीर्षक | SuperAGI up to c3c1982 Missing Authorization (CWE-862) |
|---|
| विवरण | # Technical Details
A Missing Authorization vulnerability exists in the `delete_vector_db` function in `superagi/controllers/vector_dbs.py` of SuperAGI.
The application fails to enforce any authentication on the `POST /vector_dbs/delete/{vector_db_id}` endpoint. Any unauthenticated attacker can permanently delete any Vector DB by its integer ID, triggering a cascading deletion of all associated indices, configurations, and knowledge entries.
# Vulnerable Code
File: superagi/controllers/vector_dbs.py (lines 52-62)
Method: delete_vector_db
Why: The route is registered without any `Depends(check_auth)` or `Depends(get_user_organisation)` dependency. The deletion cascades through: all `knowledges` entries, `vector_db_indices` records, `vector_db_configs` records (including stored API keys), and the `vector_dbs` record itself — it is irreversible.
# Reproduction
1. Ensure SuperAGI is running with at least one Vector DB configured.
2. Send an unauthenticated delete request:
curl -X POST http://TARGET:3000/vector_dbs/delete/1
3. Verify the DB is permanently deleted:
curl -s http://TARGET:3000/vector_dbs/db/details/1 # Returns 500 Internal Server Error
# Impact
- Denial of Service: Agents that rely on the deleted Vector DB for knowledge retrieval will fail permanently.
- Data Loss: All vector DB configurations, indices, and knowledge entries are cascade-deleted.
- Mass Destruction: Since IDs are sequential integers, an attacker can loop through IDs to destroy all Vector DBs on the platform.
- No authentication or authorization is required.
|
|---|
| स्रोत | ⚠️ https://gist.github.com/YLChen-007/01a0b6ec2418a2f4e278b82bdd29b368 |
|---|
| उपयोगकर्ता | Eric-y (UID 95889) |
|---|
| सबमिशन | 27/03/2026 01:06 PM (2 महीनों पहले) |
|---|
| संयम | 20/04/2026 07:36 AM (24 days later) |
|---|
| स्थिति | प्रतिलिपि |
|---|
| VulDB प्रविष्टि | 358217 [TransformerOptimus SuperAGI तक 0.0.14 Vector Database Management Endpoint vector_dbs.py कमजोर प्रमाणीकरण] |
|---|
| अंक | 0 |
|---|