Description
A vulnerability was identified in TransformerOptimus SuperAGI up to 0.0.14. Affected is the function delete_agent/stop_schedule/get_schedule_data of the file superagi/controllers/agent.py. The manipulation of the argument agent_id leads to authorization bypass. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-20
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Authorization Bypass
Action: Apply Patch
AI Analysis

Impact

A flaw in TransformerOptimus SuperAGI inside superagi/controllers/agent.py allows manipulation of the agent_id parameter in the delete_agent, stop_schedule, and get_schedule_data endpoints. Because the request does not correctly verify that the caller owns or is authorized for the specified agent, an authenticated user can delete, halt, or read the schedule of an arbitrary agent. This breach of authorization control (CWE‑285 and CWE‑639) permits the attacker to gain unauthorized operational and informational capabilities.

Affected Systems

All releases of TransformerOptimus SuperAGI up to and including version 0.0.14 are affected. The vulnerability involves the agent.py controller and impacts any instance that exposes the delete_agent, stop_schedule, or get_schedule_data APIs to untrusted clients.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score is not available. Because the attack vector is remote and an exploit has been published, the risk to exposed installations remains significant. The vulnerability is not listed in CISA's KEV catalog, but lack of vendor response leaves users without an official fix until a patch or advisory is released. Until then, offending calls can alter agent state or leak scheduling data for agents not owned by the attacker.

Generated by OpenCVE AI on April 20, 2026 at 08:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor patch that corrects the authorization check for agent_id in delete_agent, stop_schedule, and get_schedule_data endpoints.
  • Introduce an application‑level verification step that confirms the authenticated user owns the target agent or has explicit permission before allowing the requested operation.
  • Reject any requests in which the supplied agent_id is not included in the list of agent identifiers owned by the caller, returning an appropriate error response.

Generated by OpenCVE AI on April 20, 2026 at 08:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in TransformerOptimus SuperAGI up to 0.0.14. Affected is the function delete_agent/stop_schedule/get_schedule_data of the file superagi/controllers/agent.py. The manipulation of the argument agent_id leads to authorization bypass. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title TransformerOptimus SuperAGI agent.py get_schedule_data authorization
First Time appeared Superagi
Superagi superagi
Weaknesses CWE-285
CWE-639
CPEs cpe:2.3:a:superagi:superagi:*:*:*:*:*:*:*:*
Vendors & Products Superagi
Superagi superagi
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Superagi Superagi
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-20T06:30:14.889Z

Reserved: 2026-04-19T16:13:32.175Z

Link: CVE-2026-6613

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-20T07:16:16.147

Modified: 2026-04-20T07:16:16.147

Link: CVE-2026-6613

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T11:00:04Z

Weaknesses