| タイトル | SuperAGI SuperAGI up to c3c1982 Authorization Bypass Through User-Controlled Key (CWE-639) |
|---|
| 説明 | # Technical Details
An Insecure Direct Object Reference (IDOR) exists in the `delete_api_key` and `edit_api_key` methods in `superagi/controllers/api_key.py` of SuperAGI.
The application fails to verify whether the target API key belongs to the requesting user's organization. The endpoints only validate JWT token authenticity via `Depends(check_auth)`, but perform no ownership check on the target `api_key_id`.
# Vulnerable Code
File: superagi/controllers/api_key.py
Method: delete_api_key (lines 53-60), edit_api_key (lines 63-68)
Why: `ApiKey.get_by_id(db.session, api_key_id)` retrieves the key without verifying `organisation_id` ownership, allowing any authenticated user to delete or rename API keys belonging to other organizations.
# Reproduction
1. Authenticate with an attacker account and obtain a valid JWT.
2. Delete a victim's API key:
curl -s -X DELETE -H "Authorization: Bearer $JWT" "http://localhost:3000/api/api-keys/1"
3. Modify a victim's API key name:
curl -s -X PUT -H "Authorization: Bearer $JWT" -H "Content-Type: application/json" "http://localhost:3000/api/api-keys" -d '{"id": 1, "name": "hacked"}'
# Impact
- Service Disruption: Deleting another organization's API keys breaks their agent integrations.
- Access Revocation: Attacker can revoke legitimate users' programmatic access.
- Denial of Service: Systematic deletion of all API keys across the platform.
|
|---|
| ソース | ⚠️ https://gist.github.com/YLChen-007/ba28ac92d9fd011d40560dbf2bac39ce |
|---|
| ユーザー | Eric-z (UID 95890) |
|---|
| 送信 | 2026年03月27日 12:49 (25 日 ago) |
|---|
| モデレーション | 2026年04月19日 07:41 (23 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 358218 [TransformerOptimus SuperAGI 迄 0.0.14 API Key Management Endpoint api_key.py delete_api_key/edit_api_key 特権昇格] |
|---|
| ポイント | 20 |
|---|