Gửi #791086: SuperAGI up to c3c1982 Missing Authorization (CWE-862)thông tin

tiêu đềSuperAGI up to c3c1982 Missing Authorization (CWE-862)
Mô tả# Technical Details A Missing Authorization vulnerability exists in the `delete_vector_db` function in `superagi/controllers/vector_dbs.py` of SuperAGI. The application fails to enforce any authentication on the `POST /vector_dbs/delete/{vector_db_id}` endpoint. Any unauthenticated attacker can permanently delete any Vector DB by its integer ID, triggering a cascading deletion of all associated indices, configurations, and knowledge entries. # Vulnerable Code File: superagi/controllers/vector_dbs.py (lines 52-62) Method: delete_vector_db Why: The route is registered without any `Depends(check_auth)` or `Depends(get_user_organisation)` dependency. The deletion cascades through: all `knowledges` entries, `vector_db_indices` records, `vector_db_configs` records (including stored API keys), and the `vector_dbs` record itself — it is irreversible. # Reproduction 1. Ensure SuperAGI is running with at least one Vector DB configured. 2. Send an unauthenticated delete request: curl -X POST http://TARGET:3000/vector_dbs/delete/1 3. Verify the DB is permanently deleted: curl -s http://TARGET:3000/vector_dbs/db/details/1 # Returns 500 Internal Server Error # Impact - Denial of Service: Agents that rely on the deleted Vector DB for knowledge retrieval will fail permanently. - Data Loss: All vector DB configurations, indices, and knowledge entries are cascade-deleted. - Mass Destruction: Since IDs are sequential integers, an attacker can loop through IDs to destroy all Vector DBs on the platform. - No authentication or authorization is required.
Nguồn⚠️ https://gist.github.com/YLChen-007/01a0b6ec2418a2f4e278b82bdd29b368
Người dùng
 Eric-y (UID 95889)
Đệ trình27/03/2026 13:06 (cách đây 24 ngày)
Kiểm duyệt20/04/2026 07:36 (24 days later)
Trạng tháiBản sao
Mục VulDB358217 [TransformerOptimus SuperAGI đến 0.0.14 Vector Database Management Endpoint vector_dbs.py xác thực yếu]
điểm0

TrướcTổng QuanTiếp theo

Want to stay up to date on a daily basis?

Enable the mail alert feature now!