Description
A vulnerability was identified in TransformerOptimus SuperAGI up to 0.0.14. Impacted is the function get_budget/update_budget of the file superagi/controllers/budget.py of the component Budget Endpoint. Such manipulation leads to authorization bypass. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-19
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: Authorization Bypass
Action: Assess Impact
AI Analysis

Impact

A flaw in the SuperAGI Budget Endpoint of TransformerOptimus SuperAGI versions up to 0.0.14 permits attackers to interfere with the get_budget and update_budget actions in budget.py without proper authorization. The bug is an authorization bypass (CWE-285) that can be triggered by manipulating user input (CWE-639). Successfully exploited, the vulnerability lets an attacker read or modify budget information, potentially defrauding or causing financial mismanagement.

Affected Systems

Affected are all instances of TransformerOptimus SuperAGI up to version 0.0.14 that deploy the superagi component. The vulnerability resides in the budget.py controller within the superagi/controllers/budget directory. Endpoints exposed for budgeting functions are the target; any deployment of the vulnerable version is susceptible.

Risk and Exploitability

The CVSS base score is 5.3, indicating moderate severity. EPSS is not available, but the exploit is publicly available and could be used for remote attacks. The vulnerability is not listed in the KEV catalog. Attackers can target it remotely, likely by sending crafted requests to the budget endpoint. No vendor patch is currently available, and the vendor has not responded to disclosure, so the risk remains until a fix is applied.

Generated by OpenCVE AI on April 20, 2026 at 01:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Enforce role‑based access controls on the budget endpoints so that only authorized users can call get_budget and update_budget.
  • Temporarily disable or remove the update_budget route, or limit its exposure to a trusted network segment until a vendor fix is released.
  • Monitor API logs for anomalous access patterns to the budgeting endpoints and alert on repeated unauthorized attempts.
  • Apply an official patch or update to a higher version once the vendor releases a fix.

Generated by OpenCVE AI on April 20, 2026 at 01:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in TransformerOptimus SuperAGI up to 0.0.14. Impacted is the function get_budget/update_budget of the file superagi/controllers/budget.py of the component Budget Endpoint. Such manipulation leads to authorization bypass. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title TransformerOptimus SuperAGI Budget Endpoint budget.py update_budget authorization
First Time appeared Superagi
Superagi superagi
Weaknesses CWE-285
CWE-639
CPEs cpe:2.3:a:superagi:superagi:*:*:*:*:*:*:*:*
Vendors & Products Superagi
Superagi superagi
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Superagi Superagi
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-19T23:45:12.377Z

Reserved: 2026-04-19T05:41:18.481Z

Link: CVE-2026-6586

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-20T00:16:34.507

Modified: 2026-04-20T00:16:34.507

Link: CVE-2026-6586

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T01:30:39Z

Weaknesses