Submeter #791082: SuperAGI up to c3c1982 Authorization Bypass Through User-Controlled Key (CWE-639)informação

TítuloSuperAGI up to c3c1982 Authorization Bypass Through User-Controlled Key (CWE-639)
Descrição# Technical Details An Insecure Direct Object Reference (IDOR) exists in the `get_project`, `update_project`, and `get_projects_organisation` methods in `superagi/controllers/project.py` of SuperAGI. The application fails to verify that the target project or organization belongs to the requesting user. All three endpoints only validate the JWT token via `Depends(check_auth)` but perform no organization membership verification. # Vulnerable Code File: superagi/controllers/project.py Method: get_project (lines 70-89), update_project (lines 92-124), get_projects_organisation (lines 127-151) Why: All endpoints use attacker-controlled `project_id` or `organisation_id` URL parameters without any ownership check, allowing cross-organization data access and modification. # Reproduction 1. Authenticate with an attacker account and obtain a valid JWT. 2. List all projects for victim's organization: curl -s -H "Authorization: Bearer $JWT" "http://localhost:3000/api/projects/get/organisation/3" 3. Read a specific victim project: curl -s -H "Authorization: Bearer $JWT" "http://localhost:3000/api/projects/get/1" 4. Modify victim's project name: curl -s -X PUT -H "Authorization: Bearer $JWT" -H "Content-Type: application/json" "http://localhost:3000/api/projects/update/1" -d '{"name":"HACKED Project","description":"compromised"}' # Impact - Information Disclosure: Attacker enumerates all projects and their configurations across all organizations. - Data Integrity: Project names and descriptions can be modified, disrupting team workflows. - Reconnaissance: Project listing reveals organizational structure and agent deployment patterns.
Fonte⚠️ https://gist.github.com/YLChen-007/ac40da2253c7364d043c0dfe3275190b
Utilizador
 Eric-z (UID 95890)
Submissão27/03/2026 13h01 (há 24 dias)
Moderação19/04/2026 18h13 (23 days later)
EstadoAceite
Entrada VulDB358249 [TransformerOptimus SuperAGI até 0.0.14 project.py Elevação de Privilégios]
Pontos20

VoltarVisão GeralPróximo

Interested in the pricing of exploits?

See the underground prices here!