| शीर्षक | SuperAGI up to c3c1982 Missing Authorization (CWE-862) |
|---|
| विवरण | # Technical Details
A Missing Authorization vulnerability exists in the `update_vector_db` function in `superagi/controllers/vector_dbs.py` of SuperAGI.
The application fails to enforce any authentication on the `PUT /vector_dbs/update/vector_db/{vector_db_id}` endpoint. An unauthenticated attacker can modify the vector indices of any Vector DB — sending an empty list `[]` will delete all existing indices, permanently destroying the knowledge base links.
# Vulnerable Code
File: superagi/controllers/vector_dbs.py (lines 124-145)
Method: update_vector_db
Why: The route is registered without any `Depends(check_auth)` dependency. The function compares the incoming `new_indices` list with existing indices and deletes any index not present in the new list. This means sending an empty list `[]` deletes ALL indices. The destructive deletion executes even when adding new indices fails (partial execution).
# Reproduction
1. Ensure SuperAGI is running with a Vector DB that has at least one index configured.
2. Send an unauthenticated PUT request with an empty list to delete all indices:
curl -X PUT http://TARGET:3000/vector_dbs/update/vector_db/1 -H "Content-Type: application/json" -d '[]'
3. Verify all indices are deleted:
curl -s http://TARGET:3000/vector_dbs/db/details/1 # Response shows "indices": []
# Impact
- Data Deletion: Sending an empty new_indices list removes all vector indices, destroying the mapping between the Vector DB and stored knowledge.
- Knowledge Base Poisoning: Attacker can silently replace legitimate indices with attacker-controlled ones, changing what knowledge agents retrieve.
- Silent Corruption: Index modifications do not leave obvious traces, making detection difficult.
- No authentication or authorization is required.
|
|---|
| स्रोत | ⚠️ https://gist.github.com/YLChen-007/483eda5347002e09409e2d9c2f4fece4 |
|---|
| उपयोगकर्ता | Eric-y (UID 95889) |
|---|
| सबमिशन | 27/03/2026 01:07 PM (2 महीनों पहले) |
|---|
| संयम | 20/04/2026 07:36 AM (24 days later) |
|---|
| स्थिति | प्रतिलिपि |
|---|
| VulDB प्रविष्टि | 358217 [TransformerOptimus SuperAGI तक 0.0.14 Vector Database Management Endpoint vector_dbs.py कमजोर प्रमाणीकरण] |
|---|
| अंक | 0 |
|---|