Skip to main content

Superagi EUVDEUVD-2026-23801

| CVE-2026-6615 MEDIUM
Path Traversal (CWE-22)
2026-04-20 VulDB
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
CVSS changed
Apr 29, 2026 - 01:12 NVD
6.9 (MEDIUM) 5.5 (MEDIUM)
PoC Detected
Apr 29, 2026 - 01:00 vuln.today
Public exploit code
Severity Changed
Apr 20, 2026 - 08:22 NVD
HIGH MEDIUM
CVSS changed
Apr 20, 2026 - 08:22 NVD
7.3 (HIGH) 6.9 (MEDIUM)
Analysis Generated
Apr 20, 2026 - 07:56 vuln.today
EUVD ID Assigned
Apr 20, 2026 - 07:45 euvd
EUVD-2026-23801
Analysis Generated
Apr 20, 2026 - 07:45 vuln.today
CVE Published
Apr 20, 2026 - 07:00 nvd
MEDIUM 5.5

DescriptionCVE.org

A weakness has been identified in TransformerOptimus SuperAGI up to 0.0.14. Affected by this issue is the function Upload of the file superagi/controllers/resources.py of the component Multipart Upload Handler. This manipulation of the argument Name causes path traversal. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Path traversal in TransformerOptimus SuperAGI versions up to 0.0.14 allows remote unauthenticated attackers to read, write, or delete arbitrary files via manipulated 'Name' parameter in multipart upload requests. Publicly available exploit code exists (GitHub Gist) demonstrating exploitation. EPSS data unavailable, not currently listed in CISA KEV. CVSS 7.3 reflects network-accessible attack with no authentication barrier, though impact is rated as 'Low' across confidentiality, integrity, and availability - likely indicating file system scope limitations rather than full system compromise.

Technical ContextAI

The vulnerability resides in the Upload function within superagi/controllers/resources.py, specifically the multipart file upload handler. CWE-22 (Path Traversal) indicates improper neutralization of special elements like '../' in file paths. When processing multipart upload requests, the 'Name' argument is not properly sanitized, allowing attackers to manipulate the filename parameter to traverse outside intended upload directories. SuperAGI is an autonomous AI agent framework, and this controller likely handles resource uploads for agent workflows. The affected component (CPE cpe:2.3:a:transformeroptimus:superagi) encompasses all versions through 0.0.14, suggesting this is a design flaw in the upload validation logic rather than a regression introduced in a specific version.

RemediationAI

No vendor-released patch identified at time of analysis - vendor did not respond to early disclosure per VulDB report. Immediate compensating controls required: (1) Implement strict input validation for the 'Name' parameter in upload requests, rejecting any filenames containing path traversal sequences (../, ..\ , absolute paths, URL-encoded variants like %2e%2e%2f). Trade-off: May break legitimate use cases requiring nested directory structures in filenames. (2) Configure web application firewall (WAF) rules to block requests with path traversal patterns in multipart form data 'Name' fields. Trade-off: Adds latency and potential for false positives. (3) Run SuperAGI process with minimal filesystem permissions, using a dedicated service account restricted to write only within a sandboxed upload directory. Trade-off: Requires infrastructure changes and may complicate deployment. (4) If feasible, disable or restrict network access to the /resources upload endpoint to trusted internal IPs only until a patch is available. Trade-off: Breaks functionality for remote users. Reference the public exploit at https://gist.github.com/YLChen-007/300843c707435540ce0e23bff3e6173a to understand attack patterns for detection rules. Monitor SuperAGI GitHub repository for community-contributed patches or consider forking to implement fix independently.

CVE-2024-9415 HIGH POC
8.8 Mar 20

A Path Traversal vulnerability exists in the file upload functionality of transformeroptimus/superagi version 0.0.14. Ra

CVE-2024-12048 HIGH POC
8.8 Mar 20

An IDOR (Insecure Direct Object Reference) vulnerability exists in transformeroptimus/superagi version v0.0.14. Rated hi

CVE-2024-10267 HIGH POC
7.5 Mar 20

An information disclosure vulnerability exists in the latest version of transformeroptimus/superagi. Rated high severity

CVE-2024-9447 MEDIUM POC
6.5 Mar 20

An information disclosure vulnerability exists in the latest version of transformeroptimus/superagi. Rated medium severi

CVE-2024-9418 MEDIUM POC
6.5 Mar 20

In version 0.0.14 of transformeroptimus/superagi, the API endpoint `/api/users/get/{id}` returns the user's password in

CVE-2026-6582 MEDIUM POC
5.5 Apr 19

Remote unauthenticated access to vector database configurations in TransformerOptimus SuperAGI ≤0.0.14 allows attackers

CVE-2023-48055 HIGH
7.5 Nov 16

SuperAGI v0.0.13 was discovered to use a hardcoded key for encryption operations. Rated high severity (CVSS 7.5), this v

CVE-2026-6612 LOW POC
2.1 Apr 20

TransformerOptimus SuperAGI up to version 0.0.14 allows authenticated remote attackers to bypass authorization controls

CVE-2026-6616 LOW POC
2.1 Apr 20

Server-side request forgery (SSRF) in TransformerOptimus SuperAGI up to version 0.0.14 allows authenticated remote attac

CVE-2026-6614 LOW POC
2.1 Apr 20

Authorization bypass in TransformerOptimus SuperAGI up to version 0.0.14 allows authenticated remote attackers to access

CVE-2026-6613 LOW POC
2.1 Apr 20

Authorization bypass in TransformerOptimus SuperAGI up to version 0.0.14 allows authenticated attackers to manipulate th

CVE-2026-6585 LOW POC
2.1 Apr 19

Authorization bypass in TransformerOptimus SuperAGI up to version 0.0.14 allows authenticated users to modify arbitrary

Share

EUVD-2026-23801 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy