CVE-2026-6612 Overview
A significant authorization bypass vulnerability has been identified in TransformerOptimus SuperAGI, an autonomous AI agent framework. This security flaw affects the get_agent_execution and update_agent_execution functions within the superagi/controllers/agent_execution.py file. By manipulating the agent_execution_id parameter, attackers can bypass authorization controls and gain unauthorized access to agent execution data belonging to other users.
Critical Impact
Attackers can remotely bypass authorization controls to access or modify agent execution data, potentially exposing sensitive AI agent configurations and execution histories.
Affected Products
- TransformerOptimus SuperAGI versions up to and including 0.0.14
- Agent Execution Endpoint component
- superagi/controllers/agent_execution.py module
Discovery Timeline
- April 20, 2026 - CVE-2026-6612 published to NVD
- April 22, 2026 - Last updated in NVD database
Technical Details for CVE-2026-6612
Vulnerability Analysis
This vulnerability stems from improper authorization controls (CWE-285: Improper Authorization) in the Agent Execution Endpoint of SuperAGI. The affected functions fail to properly validate whether the requesting user has legitimate access rights to the specified agent_execution_id before processing requests. This allows authenticated users to enumerate and access agent execution records that do not belong to them by simply manipulating the ID parameter in API requests.
The vulnerability is particularly concerning in multi-tenant environments where multiple users may be running AI agents on a shared SuperAGI instance. An attacker could leverage this flaw to view other users' agent configurations, execution logs, and potentially sensitive data processed by those agents.
Root Cause
The root cause of this vulnerability is the absence of proper ownership validation in the get_agent_execution and update_agent_execution functions. When these endpoints receive a request with an agent_execution_id, they process the request without verifying that the authenticated user is the owner of or has permission to access the specified agent execution record. This represents a classic Insecure Direct Object Reference (IDOR) pattern combined with missing authorization checks.
Attack Vector
The attack can be executed remotely over the network by any authenticated user. An attacker would need to:
- Authenticate to the SuperAGI application with valid credentials
- Enumerate or guess valid agent_execution_id values
- Send crafted requests to the Agent Execution Endpoint with manipulated ID parameters
- Access or modify agent execution data belonging to other users
The exploitation mechanism involves directly manipulating the agent_execution_id parameter in API requests to the vulnerable endpoint. Since the agent_execution_id values are likely sequential integers, an attacker can easily enumerate through possible values to discover and access other users' agent executions. The exploit has been publicly disclosed through a GitHub Gist PoC Repository, increasing the risk of active exploitation.
Detection Methods for CVE-2026-6612
Indicators of Compromise
- Unusual patterns of API requests to /agent_execution endpoints with sequential or random ID enumeration
- Access logs showing a single user accessing multiple distinct agent_execution_id values in rapid succession
- Failed authorization attempts followed by successful data retrieval from unauthorized agent execution records
- Anomalous read or write operations on agent execution data by users who did not create those executions
Detection Strategies
- Implement API request monitoring to detect enumeration patterns targeting agent execution endpoints
- Deploy Web Application Firewall (WAF) rules to identify and block rapid sequential ID probing attempts
- Enable detailed audit logging for all agent execution access with user correlation
- Configure alerting for cross-user data access patterns in application logs
Monitoring Recommendations
- Monitor authentication logs for suspicious patterns preceding agent execution access attempts
- Track API response codes to identify potential enumeration activities (successful 200 responses across multiple IDs)
- Implement rate limiting on agent execution endpoints to slow down enumeration attacks
- Review access patterns regularly to identify users accessing resources outside their normal scope
How to Mitigate CVE-2026-6612
Immediate Actions Required
- Upgrade SuperAGI to a patched version when available from the vendor
- Implement additional authorization middleware to validate resource ownership before processing requests
- Restrict network access to SuperAGI instances to trusted networks or users only
- Review access logs for signs of prior exploitation and audit affected agent execution records
Patch Information
At the time of disclosure, the vendor (TransformerOptimus) was contacted but did not respond regarding this vulnerability. Users should monitor the official SuperAGI GitHub repository for security updates. Until an official patch is released, implementing the workarounds below is strongly recommended.
For additional technical details, refer to the VulDB Vulnerability Entry and the VulDB CTI Information.
Workarounds
- Implement custom middleware to enforce ownership validation on all agent execution API endpoints
- Deploy network-level access controls to limit who can reach the SuperAGI API
- Use API gateway solutions to add an additional authorization layer before requests reach SuperAGI
- Consider temporarily disabling public access to agent execution endpoints until a patch is available
# Example: Add nginx rate limiting for agent execution endpoints
# Add to nginx.conf within the server block
location /agent_execution {
limit_req zone=api_limit burst=5 nodelay;
limit_req_status 429;
# Additional access controls
allow 10.0.0.0/8; # Internal network only
deny all;
proxy_pass http://superagi_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
