Skip to main content
CVE Vulnerability Database

CVE-2026-6614: SuperAGI Authorization Bypass Vulnerability

CVE-2026-6614 is an authorization bypass flaw in TransformerOptimus SuperAGI affecting versions up to 0.0.14. Attackers can exploit project functions remotely to circumvent access controls. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-6614 Overview

A security flaw has been discovered in TransformerOptimus SuperAGI up to version 0.0.14. Affected by this vulnerability is the function get_project/update_project/get_projects_organisation of the file superagi/controllers/project.py. The manipulation results in an authorization bypass that can be exploited remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Critical Impact

Remote attackers can bypass authorization controls to access or modify project data in SuperAGI deployments, potentially compromising AI agent configurations and sensitive project information.

Affected Products

  • TransformerOptimus SuperAGI versions up to and including 0.0.14
  • SuperAGI self-hosted deployments using affected project controller endpoints
  • Organizations running unpatched SuperAGI instances exposed to network access

Discovery Timeline

  • 2026-04-20 - CVE-2026-6614 published to NVD
  • 2026-04-22 - Last updated in NVD database

Technical Details for CVE-2026-6614

Vulnerability Analysis

This vulnerability is classified as CWE-285 (Improper Authorization). The flaw exists within the project management controller of SuperAGI, specifically in the superagi/controllers/project.py file. The affected functions—get_project, update_project, and get_projects_organisation—fail to properly validate that the requesting user has appropriate authorization to access or modify the targeted project resources.

The authorization bypass allows authenticated users to access or manipulate projects belonging to other users or organizations, violating the principle of least privilege and breaking the application's intended access control boundaries.

Root Cause

The root cause of this vulnerability lies in insufficient authorization checks within the project controller endpoints. The affected functions do not properly verify that the authenticated user has the necessary permissions to perform operations on the specified project resources. This missing authorization validation allows attackers to manipulate request parameters to access resources outside their authorized scope.

Attack Vector

The attack can be performed remotely over the network by authenticated users. An attacker with valid credentials to a SuperAGI instance can craft requests to the vulnerable endpoints, modifying project identifiers or organization parameters to access or modify projects they should not have access to. This represents a horizontal privilege escalation scenario where users can access peer resources.

The vulnerability does not require user interaction beyond the attacker having valid authentication credentials. Once authenticated, the attacker can enumerate and access projects across the system by manipulating API request parameters to the affected controller functions.

Detection Methods for CVE-2026-6614

Indicators of Compromise

  • Unusual API calls to /project endpoints from users accessing projects outside their normal scope
  • Anomalous access patterns showing single users querying multiple organization projects
  • Unexpected modifications to project configurations by unauthorized users
  • Log entries showing cross-organization project access attempts

Detection Strategies

  • Monitor API access logs for get_project, update_project, and get_projects_organisation endpoint calls with mismatched user-project associations
  • Implement anomaly detection for users accessing abnormally high numbers of distinct projects
  • Configure alerts for API requests where the authenticated user's organization differs from the target project's organization
  • Review audit logs for sequential project ID enumeration patterns

Monitoring Recommendations

  • Enable detailed logging for all project controller API endpoints in SuperAGI
  • Implement rate limiting on project-related API endpoints to slow enumeration attempts
  • Deploy application-level monitoring to track cross-tenant access attempts
  • Set up alerting for failed authorization checks if custom logging is implemented

How to Mitigate CVE-2026-6614

Immediate Actions Required

  • Restrict network access to SuperAGI instances to trusted networks only until a patch is available
  • Implement network-level access controls or reverse proxy authentication as an additional layer
  • Review access logs for signs of exploitation targeting project endpoints
  • Consider temporarily disabling external access to vulnerable endpoints if feasible

Patch Information

At the time of publication, no official patch has been released by the vendor. The vendor was contacted about this disclosure but did not respond. Organizations should monitor the official SuperAGI repository for security updates. Additional technical details are available in the VulDB vulnerability entry and the GitHub code snippet documenting the issue.

Workarounds

  • Implement a reverse proxy with additional authorization checks before requests reach the SuperAGI application
  • Deploy network segmentation to limit which users can access the SuperAGI API endpoints
  • Add custom middleware to validate project ownership before allowing access to project endpoints
  • Consider deploying Web Application Firewall (WAF) rules to detect and block suspicious project enumeration patterns

Organizations should carefully evaluate these workarounds against their operational requirements while awaiting an official vendor patch.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.