Description
A vulnerability was found in TransformerOptimus SuperAGI up to 0.0.14. This vulnerability affects the function update_user of the file superagi/controllers/user.py of the component User Update Endpoint. The manipulation of the argument user_id results in authorization bypass. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-19
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: Authorization Bypass
Action: Apply Patch
AI Analysis

Impact

The flaw resides in the update_user endpoint of SuperAGI's controller, where an attacker can manipulate the user_id parameter to bypass authorization checks, enabling unauthorized modification of any user account. This weakness aligns with CWE‑285 (Improper Authorization) and CWE‑639 (Authorization Bypass Through User‑Controlled Key).

Affected Systems

TransformerOptimus SuperAGI versions up to 0.0.14 are affected. The issue occurs within the SuperAGI application, specifically in the user.py controller handling user updates. No finer version details are provided beyond the 0.0.14 cutoff.

Risk and Exploitability

The CVSS score of 5.3 indicates medium severity, and while an EPSS value is absent, the publicly disclosed exploit demonstrates that remote attackers can trigger the bypass by crafting requests to the update_user endpoint with arbitrary user_id values. As the flaw is not listed in the CISA KEV catalog, it may have gone unnoticed in some environments, yet the public proof‑of‑concept shows that attackers can gain unauthorized control over user data.

Generated by OpenCVE AI on April 20, 2026 at 00:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SuperAGI to 0.0.15 or newer once available.
  • Restrict the update_user endpoint to authenticated users and verify the user_id against the session’s user identity before processing the request.
  • Implement server‑side validation to ensure that only authorized roles (e.g., administrators) can modify other users’ accounts.

Generated by OpenCVE AI on April 20, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 19 Apr 2026 23:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in TransformerOptimus SuperAGI up to 0.0.14. This vulnerability affects the function update_user of the file superagi/controllers/user.py of the component User Update Endpoint. The manipulation of the argument user_id results in authorization bypass. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title TransformerOptimus SuperAGI User Update Endpoint user.py update_user authorization
First Time appeared Superagi
Superagi superagi
Weaknesses CWE-285
CWE-639
CPEs cpe:2.3:a:superagi:superagi:*:*:*:*:*:*:*:*
Vendors & Products Superagi
Superagi superagi
References
Metrics cvssV2_0

{'score': 5.5, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Superagi Superagi
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-19T23:15:16.091Z

Reserved: 2026-04-19T05:41:06.301Z

Link: CVE-2026-6584

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-20T00:16:34.093

Modified: 2026-04-20T00:16:34.093

Link: CVE-2026-6584

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T01:00:08Z

Weaknesses