제출 #791087: SuperAGI up to c3c1982 Missing Authorization (CWE-862)정보

제목	SuperAGI up to c3c1982 Missing Authorization (CWE-862)
설명	# Technical Details A Missing Authorization vulnerability exists in the `update_vector_db` function in `superagi/controllers/vector_dbs.py` of SuperAGI. The application fails to enforce any authentication on the `PUT /vector_dbs/update/vector_db/{vector_db_id}` endpoint. An unauthenticated attacker can modify the vector indices of any Vector DB — sending an empty list `[]` will delete all existing indices, permanently destroying the knowledge base links. # Vulnerable Code File: superagi/controllers/vector_dbs.py (lines 124-145) Method: update_vector_db Why: The route is registered without any `Depends(check_auth)` dependency. The function compares the incoming `new_indices` list with existing indices and deletes any index not present in the new list. This means sending an empty list `[]` deletes ALL indices. The destructive deletion executes even when adding new indices fails (partial execution). # Reproduction 1. Ensure SuperAGI is running with a Vector DB that has at least one index configured. 2. Send an unauthenticated PUT request with an empty list to delete all indices: curl -X PUT http://TARGET:3000/vector_dbs/update/vector_db/1 -H "Content-Type: application/json" -d '[]' 3. Verify all indices are deleted: curl -s http://TARGET:3000/vector_dbs/db/details/1 # Response shows "indices": [] # Impact - Data Deletion: Sending an empty new_indices list removes all vector indices, destroying the mapping between the Vector DB and stored knowledge. - Knowledge Base Poisoning: Attacker can silently replace legitimate indices with attacker-controlled ones, changing what knowledge agents retrieve. - Silent Corruption: Index modifications do not leave obvious traces, making detection difficult. - No authentication or authorization is required.
원천	⚠️ https://gist.github.com/YLChen-007/483eda5347002e09409e2d9c2f4fece4
사용자	Eric-y (UID 95889)
제출	2026. 03. 27. PM 01:07 (25 날 ago)
모더레이션	2026. 04. 20. AM 07:36 (24 days later)
상태	중복
VulDB 항목	358217 [TransformerOptimus SuperAGI 까지 0.0.14 Vector Database Management Endpoint vector_dbs.py 약한 인증]
포인트들	0

◂ 이전 개요 다음 ▸

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!