CVE-2026-6613 Overview
A significant authorization bypass vulnerability has been identified in TransformerOptimus SuperAGI, an open-source AI agent framework. The vulnerability exists in the superagi/controllers/agent.py file, specifically affecting the delete_agent, stop_schedule, and get_schedule_data functions. By manipulating the agent_id parameter, an attacker can bypass authorization controls and perform unauthorized operations on agent resources.
Critical Impact
Remote attackers with low-level privileges can bypass authorization controls to access, modify, or delete AI agent configurations and scheduled tasks belonging to other users, potentially compromising the integrity of AI workflows and sensitive data.
Affected Products
- TransformerOptimus SuperAGI versions up to and including 0.0.14
- SuperAGI installations with exposed agent controller endpoints
- Deployments using the vulnerable agent.py controller module
Discovery Timeline
- April 20, 2026 - CVE CVE-2026-6613 published to NVD
- April 22, 2026 - Last updated in NVD database
Technical Details for CVE-2026-6613
Vulnerability Analysis
This authorization bypass vulnerability (CWE-285: Improper Authorization) stems from inadequate access control validation in the SuperAGI agent controller. The affected functions fail to properly verify whether the requesting user has legitimate ownership or access rights to the specified agent_id before performing sensitive operations.
When a user makes a request to delete an agent, stop a scheduled task, or retrieve schedule data, the application accepts the agent_id parameter without validating that the authenticated user owns or has permissions to access that particular agent. This allows authenticated users to enumerate and manipulate agent resources belonging to other users in the system.
The vulnerability is remotely exploitable and requires only low-level authentication, making it accessible to any authenticated user of the SuperAGI platform.
Root Cause
The root cause lies in missing or insufficient authorization checks within the delete_agent, stop_schedule, and get_schedule_data functions in the superagi/controllers/agent.py file. The application fails to implement proper ownership validation, allowing any authenticated user to specify arbitrary agent_id values and interact with resources they should not have access to.
This represents a classic Insecure Direct Object Reference (IDOR) pattern where user-supplied identifiers are not properly validated against the authenticated user's permissions before granting access to protected resources.
Attack Vector
The attack can be executed remotely over the network by any authenticated user. An attacker would:
- Authenticate to the SuperAGI platform with valid credentials (even with minimal privileges)
- Identify or enumerate valid agent_id values belonging to other users
- Submit requests to the vulnerable endpoints with the target agent_id
- Successfully access, modify, or delete agent resources without proper authorization
The vulnerability is exploitable with low attack complexity and requires no user interaction. A proof-of-concept demonstrating the vulnerability is publicly available on GitHub Gist.
Detection Methods for CVE-2026-6613
Indicators of Compromise
- Unusual API requests to /agent/delete, /agent/stop_schedule, or /agent/get_schedule_data endpoints with sequential or enumerated agent_id values
- Access logs showing users querying or modifying agent resources they did not create
- Unexpected deletion or modification of agent configurations without corresponding user activity
- API traffic patterns indicating enumeration attempts against agent identifiers
Detection Strategies
- Implement logging and monitoring for all agent controller API endpoints to capture agent_id access patterns
- Deploy anomaly detection rules to identify users accessing agent resources outside their normal scope
- Configure alerts for bulk API requests to agent management endpoints that may indicate enumeration activity
- Review access logs for cross-user agent access patterns that violate expected ownership boundaries
Monitoring Recommendations
- Enable detailed request logging for all endpoints in superagi/controllers/agent.py
- Monitor for failed or successful authorization events associated with agent operations
- Implement rate limiting and alerting on excessive requests to agent management endpoints
- Establish baseline user behavior patterns and alert on deviations in agent resource access
How to Mitigate CVE-2026-6613
Immediate Actions Required
- Restrict network access to SuperAGI instances to trusted IP ranges or VPN connections
- Implement additional authentication layers or API gateway controls to limit exposure
- Review application logs for evidence of exploitation attempts against affected endpoints
- Consider temporarily disabling the affected endpoints if they are not business-critical
Patch Information
At the time of disclosure, the vendor (TransformerOptimus) was contacted but did not respond. No official patch has been released for this vulnerability. Organizations using SuperAGI should monitor the official SuperAGI GitHub repository for security updates and consider applying custom mitigations.
For additional technical details and vulnerability tracking, refer to VulDB entry #358248.
Workarounds
- Implement application-layer authorization checks by modifying the affected functions to validate user ownership before processing agent_id parameters
- Deploy a web application firewall (WAF) with rules to inspect and validate agent_id parameters against session-bound user permissions
- Use network segmentation to limit access to the SuperAGI API to trusted internal services only
- Implement custom middleware to enforce authorization policies on agent-related endpoints
# Example: Restrict access to SuperAGI API via iptables
# Allow only trusted IP ranges to access the SuperAGI service port
iptables -A INPUT -p tcp --dport 8080 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
