Description
A flaw has been found in TransformerOptimus SuperAGI up to 0.0.14. Affected by this issue is the function get_vector_db_details of the file superagi/controllers/vector_dbs.py of the component Vector Database Management Endpoint. Executing a manipulation can lead to missing authentication. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-19
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: Unauthorized retrieval of vector database details
Action: Immediate Patch
AI Analysis

Impact

The flaw resides in the get_vector_db_details function of the Vector Database Management Endpoint in TransformerOptimus SuperAGI. The endpoint performs no authorization checks, allowing any remote user to obtain detailed information about vector databases managed by the system. This vulnerability allows an attacker to retrieve database details without authentication.

Affected Systems

The issue affects TransformerOptimus SuperAGI versions up to and including 0.0.14. The affected component is the vector_dbs.py controller in the superagi package.

Risk and Exploitability

The CVSS score is 6.9, indicating a medium severity. The vulnerability is not listed in CISA KEV. The exploit is documented and can be executed remotely, allowing attackers to trigger the endpoint from outside the network. As the vendor has not released a patch, exposed installations face a higher risk.

Generated by OpenCVE AI on April 20, 2026 at 00:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the vendor's website or repository for an updated release that addresses the missing authentication issue in get_vector_db_details and upgrade SuperAGI to version 0.0.15 or later.
  • Implement network‑level controls to restrict access to the Vector Database Management Endpoint, allowing only trusted IPs or internal networks to reach it.
  • Add authentication and authorization to the endpoint, for example by requiring an API key or OAuth token before returning database details.
  • If the endpoint is not required for the deployment, disable or remove the vector_dbs API route entirely.

Generated by OpenCVE AI on April 20, 2026 at 00:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 19 Apr 2026 23:00:00 +0000

Type Values Removed Values Added
Description A flaw has been found in TransformerOptimus SuperAGI up to 0.0.14. Affected by this issue is the function get_vector_db_details of the file superagi/controllers/vector_dbs.py of the component Vector Database Management Endpoint. Executing a manipulation can lead to missing authentication. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title TransformerOptimus SuperAGI Vector Database Management Endpoint vector_dbs.py get_vector_db_details missing authentication
First Time appeared Superagi
Superagi superagi
Weaknesses CWE-287
CWE-306
CPEs cpe:2.3:a:superagi:superagi:*:*:*:*:*:*:*:*
Vendors & Products Superagi
Superagi superagi
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Superagi Superagi
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-19T22:45:11.780Z

Reserved: 2026-04-19T05:40:42.538Z

Link: CVE-2026-6582

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-19T23:16:34.080

Modified: 2026-04-19T23:16:34.080

Link: CVE-2026-6582

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T01:00:09Z

Weaknesses