提出 #791075: SuperAGI up to c3c1982 Authorization Bypass Through User-Controlled Key (CWE-639)情報

タイトル	SuperAGI up to c3c1982 Authorization Bypass Through User-Controlled Key (CWE-639)
説明	# Technical Details An Insecure Direct Object Reference (IDOR) exists in the `update_user` method in `superagi/controllers/user.py` of SuperAGI. The application fails to verify that the requesting authenticated user has permission to modify the target user account. The endpoint only validates the JWT token via `Depends(check_auth)` but does not verify that the authenticated user matches the `user_id` in the URL. # Vulnerable Code File: superagi/controllers/user.py Method: update_user (lines 117-144) Why: The endpoint directly queries `User.id == user_id` without checking if the requesting user owns that account or shares the same organization. It then overwrites the victim's name, email, and password with attacker-supplied values. # Reproduction 1. Authenticate with an attacker account and obtain a valid JWT. 2. Change the victim's password (user_id=2, different org): curl -s -X PUT -H "Authorization: Bearer $JWT" -H "Content-Type: application/json" "http://localhost:3000/api/users/update/2" -d '{"name":"Victim","email":"[email protected]","password":"attacker_controlled"}' 3. Log in as the victim using the new password: curl -s -X POST "http://localhost:8001/login" -H "Content-Type: application/json" -d '{"email":"[email protected]","password":"attacker_controlled"}' # Impact - Account Takeover: Attacker changes any user's password and logs in as that user. - Privilege Escalation: If admin users exist, attacker can take over admin accounts. - Data Breach: Full access to victim's agents, API keys, configurations, and execution history.
ソース	⚠️ https://gist.github.com/YLChen-007/79b967ece52d424558f279156dd53324
ユーザー	Eric-z (UID 95890)
送信	2026年03月27日 12:49 (24 日 ago)
モデレーション	2026年04月19日 07:41 (23 days later)
ステータス	承諾済み
VulDBエントリ	358219 [TransformerOptimus SuperAGI 迄 0.0.14 User Update Endpoint user.py update_user user_id 特権昇格]
ポイント	20

◂ 前概要次 ▸

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!