Skip to main content

Superagi CVE-2026-6583

| EUVD-2026-23719 LOW
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-04-19 VulDB
Authentication Bypass Superagi
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

8
Severity Changed
Apr 29, 2026 - 01:12 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:12 NVD
5.3 (MEDIUM) 2.1 (LOW)
PoC Detected
Apr 29, 2026 - 01:00 vuln.today
Public exploit code
CVSS changed
Apr 19, 2026 - 23:22 NVD
5.4 (MEDIUM) 5.3 (MEDIUM)
Analysis Generated
Apr 19, 2026 - 23:20 vuln.today
EUVD ID Assigned
Apr 19, 2026 - 23:15 euvd
EUVD-2026-23719
Analysis Generated
Apr 19, 2026 - 23:15 vuln.today
CVE Published
Apr 19, 2026 - 23:00 nvd
LOW 2.1

DescriptionCVE.org

A vulnerability has been found in TransformerOptimus SuperAGI up to 0.0.14. This affects the function delete_api_key/edit_api_key of the file superagi/controllers/api_key.py of the component API Key Management Endpoint. The manipulation leads to authorization bypass. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Authorization bypass in TransformerOptimus SuperAGI API Key Management allows authenticated users to delete or edit arbitrary API keys beyond their own permissions, affecting versions up to 0.0.14. The vulnerability exists in the delete_api_key and edit_api_key endpoints and enables authenticated attackers to manipulate other users' credentials remotely with low complexity. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid user credentials
Delivery
Authenticate to SuperAGI API
Exploit
Enumerate other users' API key IDs
Execution
Send unauthorized delete/edit request
Persist
Modify target API key
Impact
Revoke or hijack integrations
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires valid authentication to SuperAGI (PR:L in CVSS vector) - the attacker must possess a legitimate user account or obtain one through credential compromise. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 5.4 (Medium) with network attack vector and low complexity reflects moderate real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated user with valid credentials (e.g., a low-privilege employee or attacker with a compromised account) sends a crafted HTTP request to the delete_api_key or edit_api_key endpoint specifying another user's API key ID. Due to missing authorization checks, the endpoint processes the request and modifies or deletes the target API key, allowing the attacker to disable a colleague's integrations or steal API credentials by replacing them with controlled values. …
Remediation No vendor-released patch has been identified at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-6583 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy