CVE-2026-6614 - Vulnerability Details

- TransformerOptimus SuperAGI project.py get_projects_organisation authorization

Description

A security flaw has been discovered in TransformerOptimus SuperAGI up to 0.0.14. Affected by this vulnerability is the function get_project/update_project/get_projects_organisation of the file superagi/controllers/project.py. The manipulation results in authorization bypass. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-04-20

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is an authorization bypass in the SuperAGI controller functions get_project, update_project, and get_projects_organisation, allowing unauthenticated or improperly authorized users to view or modify any project. The flaw is caused by insufficient verification of user permissions, as indicated by CWE-285 and CWE-639. Attackers can retrieve or change project data without following the intended access controls, potentially exposing confidential project information and enabling further malicious actions.

Affected Systems

Affected by this flaw are installations of TransformerOptimus SuperAGI up to version 0.0.14. Any deployment that has not upgraded beyond this version and that exposes the /project endpoints can be impacted. The vulnerability exists in the superagi/controllers/project.py module.

Risk and Exploitability

The CVSS score of 5.3 reflects medium severity. EPSS is not available, so the exact likelihood of exploitation remains unknown. The vulnerability is not listed in the CISA KEV catalog, but the public release of the exploit suggests that attackers can target affected systems remotely. Because the flaw bypasses authorization checks, it can be exploited with only network access to the API and minimal credentials, making it a significant risk for any organization running the vulnerable version.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

TransformerOptimus

SuperAGI

affected

Version	Status	Constraints
`0.0.1`	affected	—
`0.0.2`	affected	—
`0.0.3`	affected	—
`0.0.4`	affected	—
`0.0.5`	affected	—
`0.0.6`	affected	—
`0.0.7`	affected	—
`0.0.8`	affected	—
`0.0.9`	affected	—
`0.0.10`	affected	—
`0.0.11`	affected	—
`0.0.12`	affected	—
`0.0.13`	affected	—
`0.0.14`	affected	—

No data.

Vendor Product Confidence Versions

Superagi

95%

Version	Status	Scheme	Platform
`0.0.1`	affected	semver	—
`0.0.2`	affected	semver	—
`0.0.3`	affected	semver	—
`0.0.4`	affected	semver	—
`0.0.5`	affected	semver	—
`0.0.6`	affected	semver	—
`0.0.7`	affected	semver	—
`0.0.8`	affected	semver	—
`0.0.9`	affected	semver	—
`0.0.10`	affected	semver	—
`0.0.11`	affected	semver	—
`0.0.12`	affected	semver	—
`0.0.13`	affected	semver	—
`0.0.14`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to a SuperAGI version newer than 0.0.14 once the vendor releases a patch that addresses the authorization checks in the project controller.
Apply role‑based access controls or IP whitelisting to restrict access to the /project endpoints until a patch is available.
Enable extensive logging of project access attempts and review logs for unauthorized activity.

Generated by OpenCVE AI on April 20, 2026 at 08:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00034.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://gist.github.com/YLChen-007/ac40da2253c7364d043c0dfe3275190b
https://vuldb.com/submit/791082
https://vuldb.com/vuln/358249
https://vuldb.com/vuln/358249/cti

History

Mon, 20 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 20 Apr 2026 07:15:00 +0000

Type	Values Removed	Values Added
Description		A security flaw has been discovered in TransformerOptimus SuperAGI up to 0.0.14. Affected by this vulnerability is the function get_project/update_project/get_projects_organisation of the file superagi/controllers/project.py. The manipulation results in authorization bypass. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title		TransformerOptimus SuperAGI project.py get_projects_organisation authorization
First Time appeared		Superagi Superagi superagi
Weaknesses		CWE-285 CWE-639
CPEs		cpe:2.3:a:superagi:superagi::::::::
Vendors & Products		Superagi Superagi superagi
References		https://gist.github.com/YLChen-007/ac40da2253c7364d043c0dfe3275190b https://vuldb.com/submit/791082 https://vuldb.com/vuln/358249 https://vuldb.com/vuln/358249/cti
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Superagi Superagi

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-20T06:45:11.801Z

Updated: 2026-04-20T13:51:06.467Z

Reserved: 2026-04-19T16:13:35.375Z

Link: CVE-2026-6614

Vulnrichment

Updated: 2026-04-20T13:51:02.375Z

NVD

Status : Received

Published: 2026-04-20T07:16:16.343

Modified: 2026-04-20T07:16:16.343

Link: CVE-2026-6614

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-20T09:00:02Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object