Description
A vulnerability was determined in TransformerOptimus SuperAGI up to 0.0.14. This issue affects the function update_organisation of the file superagi/controllers/organisation.py of the component Organisation Update Endpoint. This manipulation of the argument organisation_id causes authorization bypass. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-19
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: Authorization Bypass
Action: Assess Impact
AI Analysis

Impact

The SuperAGI update_organisation endpoint allows an attacker to supply an arbitrary organisation_id and modify organisational data, bypassing all authorization checks. This flaw permits an unauthenticated or minimally privileged user to alter or delete resources belonging to any organization, potentially leading to data tampering, unauthorized access, and privilege escalation.

Affected Systems

Products impacted are TransformerOptimus SuperAGI for all versions up to and including 0.0.14, specifically the superagi/controllers/organisation.py module which contains the update_organisation endpoint. Deployments running any version in this range are vulnerable.

Risk and Exploitability

The CVSS score of 5.3 classifies this as moderate severity. Exploitation can be performed remotely by sending a crafted HTTP request to the update_organisation API, manipulating the organisation_id parameter. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating a moderate risk of exploitation but no current evidence of widespread active attacks.

Generated by OpenCVE AI on April 20, 2026 at 00:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available vendor patch that addresses update_organisation in SuperAGI version 0.0.15 or newer.
  • If a patch is not yet released, enforce role based access control on the update_organisation API so that only users with explicit organisational owner privileges can invoke the endpoint.
  • Actively monitor API logs for unexpected organisation_id values or repeated update attempts and investigate any anomalies promptly.

Generated by OpenCVE AI on April 20, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 19 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in TransformerOptimus SuperAGI up to 0.0.14. This issue affects the function update_organisation of the file superagi/controllers/organisation.py of the component Organisation Update Endpoint. This manipulation of the argument organisation_id causes authorization bypass. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Title TransformerOptimus SuperAGI Organisation Update Endpoint organisation.py update_organisation authorization
First Time appeared Superagi
Superagi superagi
Weaknesses CWE-285
CWE-639
CPEs cpe:2.3:a:superagi:superagi:*:*:*:*:*:*:*:*
Vendors & Products Superagi
Superagi superagi
References
Metrics cvssV2_0

{'score': 5.5, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Superagi Superagi
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-19T23:30:14.085Z

Reserved: 2026-04-19T05:41:15.270Z

Link: CVE-2026-6585

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-20T00:16:34.307

Modified: 2026-04-20T00:16:34.307

Link: CVE-2026-6585

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T00:30:27Z

Weaknesses