Skip to main content

Superagi EUVD-2026-23721

| CVE-2026-6584 LOW
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-04-19 VulDB GHSA-pw7f-f7wc-gxxw
Authentication Bypass Superagi
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

8
Severity Changed
Apr 29, 2026 - 01:12 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:12 NVD
5.3 (MEDIUM) 2.1 (LOW)
PoC Detected
Apr 29, 2026 - 01:00 vuln.today
Public exploit code
CVSS changed
Apr 20, 2026 - 00:22 NVD
5.4 (MEDIUM) 5.3 (MEDIUM)
Analysis Generated
Apr 19, 2026 - 23:37 vuln.today
EUVD ID Assigned
Apr 19, 2026 - 23:30 euvd
EUVD-2026-23721
Analysis Generated
Apr 19, 2026 - 23:30 vuln.today
CVE Published
Apr 19, 2026 - 23:15 nvd
LOW 2.1

DescriptionCVE.org

A vulnerability was found in TransformerOptimus SuperAGI up to 0.0.14. This vulnerability affects the function update_user of the file superagi/controllers/user.py of the component User Update Endpoint. The manipulation of the argument user_id results in authorization bypass. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Authorization bypass in TransformerOptimus SuperAGI up to version 0.0.14 allows authenticated remote attackers to modify user accounts by manipulating the user_id parameter in the User Update Endpoint (superagi/controllers/user.py), enabling unauthorized data modification and availability impact. Publicly available exploit code exists; the vendor has not responded to disclosure efforts.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with valid user credentials
Delivery
Identify target user ID via API enumeration or documentation
Exploit
Craft update request with manipulated user_id parameter
Execution
Send HTTP request to User Update Endpoint
Persist
Server applies changes to target user account without authorization check
Impact
Attacker modifies victim account properties
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid, authenticated user session or credentials (PR:L per CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 5.4 with network vector (AV:N), low complexity (AC:L), and low privilege requirement (PR:L) indicates moderate but genuine risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated user with valid credentials logs into SuperAGI. The attacker observes that the user update API endpoint accepts a user_id parameter. …
Remediation Upgrade TransformerOptimus SuperAGI to a version newer than 0.0.14 immediately. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-23721 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy