Submeter #791086: SuperAGI up to c3c1982 Missing Authorization (CWE-862)informação

TítuloSuperAGI up to c3c1982 Missing Authorization (CWE-862)
Descrição# Technical Details A Missing Authorization vulnerability exists in the `delete_vector_db` function in `superagi/controllers/vector_dbs.py` of SuperAGI. The application fails to enforce any authentication on the `POST /vector_dbs/delete/{vector_db_id}` endpoint. Any unauthenticated attacker can permanently delete any Vector DB by its integer ID, triggering a cascading deletion of all associated indices, configurations, and knowledge entries. # Vulnerable Code File: superagi/controllers/vector_dbs.py (lines 52-62) Method: delete_vector_db Why: The route is registered without any `Depends(check_auth)` or `Depends(get_user_organisation)` dependency. The deletion cascades through: all `knowledges` entries, `vector_db_indices` records, `vector_db_configs` records (including stored API keys), and the `vector_dbs` record itself — it is irreversible. # Reproduction 1. Ensure SuperAGI is running with at least one Vector DB configured. 2. Send an unauthenticated delete request: curl -X POST http://TARGET:3000/vector_dbs/delete/1 3. Verify the DB is permanently deleted: curl -s http://TARGET:3000/vector_dbs/db/details/1 # Returns 500 Internal Server Error # Impact - Denial of Service: Agents that rely on the deleted Vector DB for knowledge retrieval will fail permanently. - Data Loss: All vector DB configurations, indices, and knowledge entries are cascade-deleted. - Mass Destruction: Since IDs are sequential integers, an attacker can loop through IDs to destroy all Vector DBs on the platform. - No authentication or authorization is required.
Fonte⚠️ https://gist.github.com/YLChen-007/01a0b6ec2418a2f4e278b82bdd29b368
Utilizador
 Eric-y (UID 95889)
Submissão27/03/2026 13h06 (há 24 dias)
Moderação20/04/2026 07h36 (24 days later)
EstadoDuplicado
Entrada VulDB358217 [TransformerOptimus SuperAGI até 0.0.14 Vector Database Management Endpoint vector_dbs.py Autenticação fraca]
Pontos0

VoltarVisão GeralPróximo

Interested in the pricing of exploits?

See the underground prices here!