提交 #791078: SuperAGI up to c3c1982 Authorization Bypass Through User-Controlled Key (CWE-639)信息

标题SuperAGI up to c3c1982 Authorization Bypass Through User-Controlled Key (CWE-639)
描述# Technical Details An Insecure Direct Object Reference (IDOR) exists in the `get_agent_execution` and `update_agent_execution` methods in `superagi/controllers/agent_execution.py` of SuperAGI. The application fails to verify that the target agent execution belongs to the requesting user's organization. Both endpoints only validate the JWT token via `Depends(check_auth)` but perform no ownership check on the `agent_execution_id` URL parameter. # Vulnerable Code File: superagi/controllers/agent_execution.py Method: get_agent_execution (lines 296-319), update_agent_execution (lines 322-356) Why: Both endpoints query `AgentExecution.id == agent_execution_id` using an attacker-controlled parameter without filtering by organization. The update endpoint can alter execution status to "RUNNING" which triggers `execute_agent.delay()`, consuming the victim's LLM API credits. # Reproduction 1. Authenticate with an attacker account and obtain a valid JWT. 2. Read victim's agent execution: curl -s -H "Authorization: Bearer $JWT" "http://localhost:3000/api/agentexecutions/get/1" 3. Terminate victim's running agent: curl -s -X PUT -H "Authorization: Bearer $JWT" -H "Content-Type: application/json" "http://localhost:3000/api/agentexecutions/update/1" -d '{"status": "TERMINATED"}' 4. Or re-trigger victim's agent execution to consume their credits: curl -s -X PUT -H "Authorization: Bearer $JWT" -H "Content-Type: application/json" "http://localhost:3000/api/agentexecutions/update/1" -d '{"status": "RUNNING"}' # Impact - Service Disruption: Attacker can terminate victim's running agents. - Resource Abuse: Attacker triggers execution of victim's agents, consuming their LLM API credits. - Information Disclosure: Reading execution details exposes agent configurations and run history.
来源⚠️ https://gist.github.com/YLChen-007/d033e9d4d23e0832b9ede71dc545ac9a
用户
 Eric-z (UID 95890)
提交2026-03-27 12時52分 (24 日前)
管理2026-04-19 18時13分 (23 days later)
状态已接受
VulDB条目358247 [TransformerOptimus SuperAGI 直到 0.0.14 Agent Execution Endpoint agent_execution.py get_agent_execution/update_agent_execution agent_execution_id 权限提升]
积分20

上一步一览下一步

Might our Artificial Intelligence support you?

Check our Alexa App!