| 标题 | SuperAGI SuperAGI up to c3c1982 Authorization Bypass Through User-Controlled Key (CWE-639) |
|---|
| 描述 | # Technical Details
An Insecure Direct Object Reference (IDOR) exists in the `delete_api_key` and `edit_api_key` methods in `superagi/controllers/api_key.py` of SuperAGI.
The application fails to verify whether the target API key belongs to the requesting user's organization. The endpoints only validate JWT token authenticity via `Depends(check_auth)`, but perform no ownership check on the target `api_key_id`.
# Vulnerable Code
File: superagi/controllers/api_key.py
Method: delete_api_key (lines 53-60), edit_api_key (lines 63-68)
Why: `ApiKey.get_by_id(db.session, api_key_id)` retrieves the key without verifying `organisation_id` ownership, allowing any authenticated user to delete or rename API keys belonging to other organizations.
# Reproduction
1. Authenticate with an attacker account and obtain a valid JWT.
2. Delete a victim's API key:
curl -s -X DELETE -H "Authorization: Bearer $JWT" "http://localhost:3000/api/api-keys/1"
3. Modify a victim's API key name:
curl -s -X PUT -H "Authorization: Bearer $JWT" -H "Content-Type: application/json" "http://localhost:3000/api/api-keys" -d '{"id": 1, "name": "hacked"}'
# Impact
- Service Disruption: Deleting another organization's API keys breaks their agent integrations.
- Access Revocation: Attacker can revoke legitimate users' programmatic access.
- Denial of Service: Systematic deletion of all API keys across the platform.
|
|---|
| 来源 | ⚠️ https://gist.github.com/YLChen-007/ba28ac92d9fd011d40560dbf2bac39ce |
|---|
| 用户 | Eric-z (UID 95890) |
|---|
| 提交 | 2026-03-27 12時49分 (24 日前) |
|---|
| 管理 | 2026-04-19 07時41分 (23 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 358218 [TransformerOptimus SuperAGI 直到 0.0.14 API Key Management Endpoint api_key.py delete_api_key/edit_api_key 权限提升] |
|---|
| 积分 | 20 |
|---|