Is there a public PoC exploit available for CVE-2026-6585?

Yes, a public proof-of-concept exploit is available for CVE-2026-6585. Prioritise patching immediately. EPSS: 0.0%.

Superagi CVE-2026-6585

Q: What is the CVSS score of CVE-2026-6585?

CVE-2026-6585 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-23723 LOW

Authorization Bypass Through User-Controlled Key (CWE-639)

2026-04-19 VulDB

GHSA-p2p9-2gw5-hphv

Authentication Bypass Superagi

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:12 NVD

MEDIUM LOW

CVSS changed

Apr 29, 2026 - 01:12 NVD

5.3 (MEDIUM) 2.1 (LOW)

PoC Detected

Apr 29, 2026 - 01:00 vuln.today

Public exploit code

CVSS changed

Apr 20, 2026 - 00:22 NVD

5.4 (MEDIUM) 5.3 (MEDIUM)

Analysis Generated

Apr 19, 2026 - 23:51 vuln.today

EUVD ID Assigned

Apr 19, 2026 - 23:45 euvd

EUVD-2026-23723

Analysis Generated

Apr 19, 2026 - 23:45 vuln.today

CVE Published

Apr 19, 2026 - 23:30 nvd

LOW 2.1

DescriptionCVE.org

A vulnerability was determined in TransformerOptimus SuperAGI up to 0.0.14. This issue affects the function update_organisation of the file superagi/controllers/organisation.py of the component Organisation Update Endpoint. This manipulation of the argument organisation_id causes authorization bypass. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Authorization bypass in TransformerOptimus SuperAGI up to version 0.0.14 allows authenticated users to modify arbitrary organizations by manipulating the organisation_id parameter in the Organisation Update Endpoint, causing integrity and availability impact. Remote exploitation requires valid credentials and is limited to authenticated users (CVSS PR:L), but publicly available exploit code exists and the vendor has not responded to disclosure.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Obtain valid SuperAGI user credentials

Delivery

Enumerate or discover target organisation_id

Exploit

Send authenticated PATCH request to Organisation Update Endpoint

Install

Manipulate organisation_id parameter in request

Bypass authorization checks

Execute

Modify target organization data

Impact

Achieve integrity or availability impact