Is there a public PoC exploit available for CVE-2026-6612?

Yes, a public proof-of-concept exploit is available for CVE-2026-6612. Prioritise patching immediately. EPSS: 0.0%.

Superagi CVE-2026-6612

Q: What is the CVSS score of CVE-2026-6612?

CVE-2026-6612 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-23789 LOW

Authorization Bypass Through User-Controlled Key (CWE-639)

2026-04-20 VulDB

GHSA-6fpm-qhmq-mwq8

Authentication Bypass Superagi

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:12 NVD

MEDIUM LOW

CVSS changed

Apr 29, 2026 - 01:12 NVD

5.3 (MEDIUM) 2.1 (LOW)

PoC Detected

Apr 29, 2026 - 01:00 vuln.today

Public exploit code

Analysis Generated

Apr 20, 2026 - 07:26 vuln.today

CVSS changed

Apr 20, 2026 - 07:22 NVD

6.3 (MEDIUM) 5.3 (MEDIUM)

EUVD ID Assigned

Apr 20, 2026 - 07:15 euvd

EUVD-2026-23789

Analysis Generated

Apr 20, 2026 - 07:15 vuln.today

CVE Published

Apr 20, 2026 - 06:15 nvd

LOW 2.1

DescriptionCVE.org

A vulnerability was determined in TransformerOptimus SuperAGI up to 0.0.14. This impacts the function get_agent_execution/update_agent_execution of the file superagi/controllers/agent_execution.py of the component Agent Execution Endpoint. Executing a manipulation of the argument agent_execution_id can lead to authorization bypass. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

TransformerOptimus SuperAGI up to version 0.0.14 allows authenticated remote attackers to bypass authorization controls in the Agent Execution Endpoint by manipulating the agent_execution_id parameter in get_agent_execution and update_agent_execution functions. An attacker with valid credentials can access or modify agent execution records they should not have permission to interact with. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Obtain valid SuperAGI user credentials

Delivery

Authenticate to SuperAGI application

Exploit

Identify target agent_execution_id via enumeration

Install

Send GET/POST request with modified agent_execution_id

Authorization check fails in endpoint

Execute

Access or modify unauthorized execution records

Impact

Extract sensitive data or disrupt agent operations