Is there a public PoC exploit available for CVE-2026-6614?

Yes, a public proof-of-concept exploit is available for CVE-2026-6614. Prioritise patching immediately. EPSS: 0.0%.

Superagi CVE-2026-6614

Q: What is the CVSS score of CVE-2026-6614?

CVE-2026-6614 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-23785 LOW

Authorization Bypass Through User-Controlled Key (CWE-639)

2026-04-20 VulDB

GHSA-2chg-78hj-c2w2

Authentication Bypass Superagi

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:12 NVD

MEDIUM LOW

CVSS changed

Apr 29, 2026 - 01:12 NVD

5.3 (MEDIUM) 2.1 (LOW)

PoC Detected

Apr 29, 2026 - 01:00 vuln.today

Public exploit code

Analysis Generated

Apr 20, 2026 - 07:27 vuln.today

CVSS changed

Apr 20, 2026 - 07:22 NVD

6.3 (MEDIUM) 5.3 (MEDIUM)

EUVD ID Assigned

Apr 20, 2026 - 07:15 euvd

EUVD-2026-23785

Analysis Generated

Apr 20, 2026 - 07:15 vuln.today

CVE Published

Apr 20, 2026 - 06:45 nvd

LOW 2.1

DescriptionCVE.org

A security flaw has been discovered in TransformerOptimus SuperAGI up to 0.0.14. Affected by this vulnerability is the function get_project/update_project/get_projects_organisation of the file superagi/controllers/project.py. The manipulation results in authorization bypass. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Authorization bypass in TransformerOptimus SuperAGI up to version 0.0.14 allows authenticated remote attackers to access or modify project data without proper authorization checks in the project controller endpoints (get_project, update_project, get_projects_organisation). The vulnerability has publicly available exploit code and affects the project management functionality with limited confidentiality and integrity impact. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain valid SuperAGI credentials

Delivery

Authenticate to application

Exploit

Enumerate project IDs via API

Execution

Request unauthorized project data

Persist

Modify target project configuration

Impact

Exfiltrate or corrupt project intellectual property