| 标题 | SuperAGI up to c3c1982 Authorization Bypass Through User-Controlled Key (CWE-639) |
|---|
| 描述 | # Technical Details
An Insecure Direct Object Reference (IDOR) exists in the `update_user` method in `superagi/controllers/user.py` of SuperAGI.
The application fails to verify that the requesting authenticated user has permission to modify the target user account. The endpoint only validates the JWT token via `Depends(check_auth)` but does not verify that the authenticated user matches the `user_id` in the URL.
# Vulnerable Code
File: superagi/controllers/user.py
Method: update_user (lines 117-144)
Why: The endpoint directly queries `User.id == user_id` without checking if the requesting user owns that account or shares the same organization. It then overwrites the victim's name, email, and password with attacker-supplied values.
# Reproduction
1. Authenticate with an attacker account and obtain a valid JWT.
2. Change the victim's password (user_id=2, different org):
curl -s -X PUT -H "Authorization: Bearer $JWT" -H "Content-Type: application/json" "http://localhost:3000/api/users/update/2" -d '{"name":"Victim","email":"[email protected]","password":"attacker_controlled"}'
3. Log in as the victim using the new password:
curl -s -X POST "http://localhost:8001/login" -H "Content-Type: application/json" -d '{"email":"[email protected]","password":"attacker_controlled"}'
# Impact
- Account Takeover: Attacker changes any user's password and logs in as that user.
- Privilege Escalation: If admin users exist, attacker can take over admin accounts.
- Data Breach: Full access to victim's agents, API keys, configurations, and execution history.
|
|---|
| 来源 | ⚠️ https://gist.github.com/YLChen-007/79b967ece52d424558f279156dd53324 |
|---|
| 用户 | Eric-z (UID 95890) |
|---|
| 提交 | 2026-03-27 12時49分 (24 日前) |
|---|
| 管理 | 2026-04-19 07時41分 (23 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 358219 [TransformerOptimus SuperAGI 直到 0.0.14 User Update Endpoint user.py update_user user_id 权限提升] |
|---|
| 积分 | 20 |
|---|