| 제목 | SuperAGI up to c3c1982 Authorization Bypass Through User-Controlled Key (CWE-639) |
|---|
| 설명 | # Technical Details
A Authorization Bypass exists in the `get_config_by_organisation_id` method in `superagi/controllers/config.py` of SuperAGI.
The application fails to verify if the requesting authenticated user belongs to the specified organization, allowing an Insecure Direct Object Reference (IDOR).
# Vulnerable Code
File: superagi/controllers/config.py
Method: get_config_by_organisation_id
Why: The endpoint uses `Depends(check_auth)` which only validates the validity of the JWT token, but it does NOT verify if the user belongs to the requested `organisation_id` passed in the URL. As a result, the application retrieves and decrypts stored API keys (such as OpenAI keys) of any organization and returns them to the attacker.
# Reproduction
1. Authenticate with an attacker account and obtain a valid JWT.
2. Read a victim organization's configs (for example, org_id=3) by sending the following request:
curl -s -H "Authorization: Bearer $JWT" "http://localhost:3000/api/configs/get/organisation/3"
# Impact
- API Key Theft: Attacker steals decrypted LLM API keys (OpenAI, Palm, etc.) belonging to other organizations.
- Financial Abuse: Stolen API keys can be used for unauthorized LLM API calls billed to the victim.
- Configuration Tampering: The companion setup endpoint follows the same pattern, allowing attackers to write configs to any organization.
|
|---|
| 원천 | ⚠️ https://gist.github.com/YLChen-007/678c631238f1767802bda057ea083936 |
|---|
| 사용자 | Eric-z (UID 95890) |
|---|
| 제출 | 2026. 03. 27. PM 12:47 (27 날 ago) |
|---|
| 모더레이션 | 2026. 04. 19. AM 07:40 (23 days later) |
|---|
| 상태 | 중복 |
|---|
| VulDB 항목 | 300344 [transformeroptimus superagi 정보 공개] |
|---|
| 포인트들 | 0 |
|---|