| 제목 | SuperAGI up to c3c1982 Authorization Bypass Through User-Controlled Key (CWE-639) |
|---|
| 설명 | # Technical Details
An Insecure Direct Object Reference (IDOR) exists in the `update_organisation` method in `superagi/controllers/organisation.py` of SuperAGI.
The application fails to verify that the requesting user belongs to the target organization before allowing modifications. The endpoint only validates the JWT token via `Depends(check_auth)` but does not check organization membership.
# Vulnerable Code
File: superagi/controllers/organisation.py
Method: update_organisation (lines 101-126)
Why: The endpoint queries `Organisation.id == organisation_id` using the attacker-controlled URL parameter without any membership or ownership verification, allowing any authenticated user to overwrite any organization's name and description.
# Reproduction
1. Authenticate with an attacker account and obtain a valid JWT.
2. Rename the victim organization (org_id=3):
curl -s -X PUT -H "Authorization: Bearer $JWT" -H "Content-Type: application/json" "http://localhost:3000/api/organisations/update/3" -d '{"name":"HACKED","description":"This org has been compromised"}'
# Impact
- Data Integrity: Organization names and descriptions can be defaced by any authenticated user.
- Phishing: Renaming organizations could confuse users into trusting malicious configurations.
- Note: The related GET endpoint IDOR is tracked under CVE-2024-9447; this is the missed write variant.
|
|---|
| 원천 | ⚠️ https://gist.github.com/YLChen-007/88ea045efa387ab0b93f6dd2f797e653 |
|---|
| 사용자 | Eric-z (UID 95890) |
|---|
| 제출 | 2026. 03. 27. PM 12:50 (25 날 ago) |
|---|
| 모더레이션 | 2026. 04. 19. AM 07:41 (23 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 358220 [TransformerOptimus SuperAGI 까지 0.0.14 Organisation Update Endpoint organisation.py update_organisation organisation_id 권한 상승] |
|---|
| 포인트들 | 20 |
|---|