CVE-2026-6584

TransformerOptimus SuperAGI User Update Endpoint user.py update_user authorization

CVSS 5.3 MEDIUMEPSS 0.3%CWE-285 CWE-639

A vulnerability was found in TransformerOptimus SuperAGI up to 0.0.14. This vulnerability affects the function update_user of the file superagi/controllers/user.py of the component User Update Endpoint. The manipulation of the argument user_id results in authorization bypass. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

Produtos afetados

TransformerOptimus · SuperAGI

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://gist.github.com/YLChen-007/79b967ece52d424558f279156dd53324 https://vuldb.com/submit/791075 https://vuldb.com/vuln/358219 https://vuldb.com/vuln/358219/cti