{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6614", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-19T16:13:35.375Z", "datePublished": "2026-04-20T06:45:11.801Z", "dateUpdated": "2026-04-20T06:45:11.801Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-20T06:45:11.801Z"}, "title": "TransformerOptimus SuperAGI project.py get_projects_organisation authorization", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-639", "lang": "en", "description": "Authorization Bypass"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-285", "lang": "en", "description": "Improper Authorization"}]}], "affected": [{"vendor": "TransformerOptimus", "product": "SuperAGI", "versions": [{"version": "0.0.1", "status": "affected"}, {"version": "0.0.2", "status": "affected"}, {"version": "0.0.3", "status": "affected"}, {"version": "0.0.4", "status": "affected"}, {"version": "0.0.5", "status": "affected"}, {"version": "0.0.6", "status": "affected"}, {"version": "0.0.7", "status": "affected"}, {"version": "0.0.8", "status": "affected"}, {"version": "0.0.9", "status": "affected"}, {"version": "0.0.10", "status": "affected"}, {"version": "0.0.11", "status": "affected"}, {"version": "0.0.12", "status": "affected"}, {"version": "0.0.13", "status": "affected"}, {"version": "0.0.14", "status": "affected"}], "cpes": ["cpe:2.3:a:superagi:superagi:*:*:*:*:*:*:*:*"]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in TransformerOptimus SuperAGI up to 0.0.14. Affected by this vulnerability is the function get_project/update_project/get_projects_organisation of the file superagi/controllers/project.py. The manipulation results in authorization bypass. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-19T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-19T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-19T18:18:55.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Eric-z (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/358249", "name": "VDB-358249 | TransformerOptimus SuperAGI project.py get_projects_organisation authorization", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/358249/cti", "name": "VDB-358249 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/791082", "name": "Submit #791082 | SuperAGI up to c3c1982 Authorization Bypass Through User-Controlled Key (CWE-639)", "tags": ["third-party-advisory"]}, {"url": "https://gist.github.com/YLChen-007/ac40da2253c7364d043c0dfe3275190b", "tags": ["exploit"]}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in TransformerOptimus SuperAGI up to 0.0.14. Affected by this vulnerability is the function get_project/update_project/get_projects_organisation of the file superagi/controllers/project.py. The manipulation results in authorization bypass. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-6614", "lastModified": "2026-04-20T07:16:16.343", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-20T07:16:16.343", "references": [{"source": "cna@vuldb.com", "url": "https://gist.github.com/YLChen-007/ac40da2253c7364d043c0dfe3275190b"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/791082"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358249"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358249/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}, {"lang": "en", "value": "CWE-639"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.0.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.0.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.0.3"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.0.4"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.0.5"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.0.6"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.0.7"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.0.8"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.0.9"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.0.10"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.0.11"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.0.12"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.0.13"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.0.14"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "SuperAGI", "source": "cna", "vendor": "TransformerOptimus"}, "product": "superagi", "vendor": "superagi"}], "analysis": {"en": {"generated_at": "2026-04-20T08:23:12.240677+00:00", "value": {"mitigation_remediation": ["Upgrade to a SuperAGI version newer than 0.0.14 once the vendor releases a patch that addresses the authorization checks in the project controller.", "Apply role\u2011based access controls or IP whitelisting to restrict access to the /project endpoints until a patch is available.", "Enable extensive logging of project access attempts and review logs for unauthorized activity."], "summary": {"action": "Assess Impact", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "Affected by this flaw are installations of TransformerOptimus SuperAGI up to version 0.0.14. Any deployment that has not upgraded beyond this version and that exposes the /project endpoints can be impacted. The vulnerability exists in the superagi/controllers/project.py module.", "description_and_impact": "The vulnerability is an authorization bypass in the SuperAGI controller functions get_project, update_project, and get_projects_organisation, allowing unauthenticated or improperly authorized users to view or modify any project. The flaw is caused by insufficient verification of user permissions, as indicated by CWE-285 and CWE-639. Attackers can retrieve or change project data without following the intended access controls, potentially exposing confidential project information and enabling further malicious actions.", "risk_and_exploitability": "The CVSS score of 5.3 reflects medium severity. EPSS is not available, so the exact likelihood of exploitation remains unknown. The vulnerability is not listed in the CISA KEV catalog, but the public release of the exploit suggests that attackers can target affected systems remotely. Because the flaw bypasses authorization checks, it can be exploited with only network access to the API and minimal credentials, making it a significant risk for any organization running the vulnerable version."}}}}, "created": "2026-04-20T08:30:02.622435+00:00", "updated": "2026-04-20T09:00:02.857897+00:00", "vendors": ["superagi", "superagi$PRODUCT$superagi"]}