Description
AGL app-framework-binder (afb-daemon) through v19.90.0 contains a privilege escalation vulnerability in the supervision Do command. The on_supervision_call function in src/afb-supervision.c explicitly nullifies the request credentials by calling afb_context_change_cred(&xreq->context, NULL) before dispatching an attacker-controlled API call via xapi->itf->call(xapi->closure, xreq). The NULL propagation chain through afb-context.c:110 (context->credentials = afb_cred_addref(NULL)) and afb-cred.c:163 (returns NULL when cred is NULL) confirms that credentials are zeroed before the target API executes. The attacker controls both api and verb parameters via JSON input, allowing execution of any registered API with a NULL credential context. APIs that rely on context->credentials for authorization decisions may fail open when receiving NULL credentials, enabling privilege escalation. This vulnerability was introduced in commit abbb4599f0b921c6f434b6bd02bcfb277eecf745 on 2018-02-14.
Published: 2026-05-01
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

agl app-framework-binder (afb‑daemon) contains a code path that purposely clears the request credentials before calling an attacker‑controlled API. The verifier controls the API name and verb via JSON input, so every registered API is invoked with a null credential context. When an API subsequently checks the user’s credentials, the missing information can cause a failure‑open, letting the attacker obtain elevated privileges on the system. This flaw falls under the category of improper privilege management and can lead to system compromise. The CVSS score of 7.8 classifies it as high severity. EPSS data is unavailable and the vulnerability is not listed in CISA’s KEV catalog, but the potential impact remains significant.

Affected Systems

vulnerable versions of AGL app-framework-binder up to and including v19.90.0 are affected. Any system running this daemon and its APIs, especially those that use the credential field for authorization decisions, is at risk. The risk does not extend beyond the affected product itself.

Risk and Exploitability

The vulnerability is exploitable remotely via the supervision Do command and requires the attacker to send a crafted JSON request specifying the target API and verb. No special network access prerequisites beyond those needed to interact with afb‑daemon are required. Because the API can be swapped arbitrarily and credentials are forced to null, an attacker can trigger privileged operations that would normally be denied, potentially leading to complete control of the device. The lack of an official patch and the high CVSS score underscore the urgency of remediation.

Generated by OpenCVE AI on May 2, 2026 at 07:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AGL app‑framework‑binder to a version newer than v19.90.0 where the credential handling has been fixed.
  • If upgrading immediately is not possible, restrict or disable privileged APIs that depend on credential checks, or apply configuration changes to prevent null credential propagation during the Do command.
  • Deploy additional monitoring to detect anomalous API invocations with null credential contexts, and review access controls on critical APIs to ensure they do not succeed when credentials are missing.

Generated by OpenCVE AI on May 2, 2026 at 07:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 08:15:00 +0000

Type Values Removed Values Added
Title Privilege Escalation via Nullified Credentials in AGL app-framework-binder

Fri, 01 May 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-269
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 01 May 2026 16:45:00 +0000

Type Values Removed Values Added
Description AGL app-framework-binder (afb-daemon) through v19.90.0 contains a privilege escalation vulnerability in the supervision Do command. The on_supervision_call function in src/afb-supervision.c explicitly nullifies the request credentials by calling afb_context_change_cred(&xreq->context, NULL) before dispatching an attacker-controlled API call via xapi->itf->call(xapi->closure, xreq). The NULL propagation chain through afb-context.c:110 (context->credentials = afb_cred_addref(NULL)) and afb-cred.c:163 (returns NULL when cred is NULL) confirms that credentials are zeroed before the target API executes. The attacker controls both api and verb parameters via JSON input, allowing execution of any registered API with a NULL credential context. APIs that rely on context->credentials for authorization decisions may fail open when receiving NULL credentials, enabling privilege escalation. This vulnerability was introduced in commit abbb4599f0b921c6f434b6bd02bcfb277eecf745 on 2018-02-14.
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AC:L/AV:L/A:H/C:H/I:H/PR:L/S:U/UI:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-01T19:45:35.959Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37525

cve-icon Vulnrichment

Updated: 2026-05-01T19:36:56.004Z

cve-icon NVD

Status : Received

Published: 2026-05-01T17:16:22.270

Modified: 2026-05-01T20:16:22.353

Link: CVE-2026-37525

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T08:00:14Z

Weaknesses