CVE-2026-6585
Authorization Bypass in TransformerOptimus SuperAGI Organisation Update Endpoint
Publication date: 2026-04-20
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| transformeroptimus | superagi | to 0.0.14 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability CVE-2026-6585 allows unauthorized modification of organization data due to an authorization bypass in the update_organisation function. This can lead to data integrity issues and potential phishing risks by maliciously renaming organizations.
Such unauthorized data manipulation can negatively impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls over data integrity, access authorization, and protection against unauthorized data modification.
Specifically, the lack of proper authorization checks means that authenticated users can alter organizational information without permission, potentially violating principles of data accuracy and security mandated by these regulations.
Can you explain this vulnerability to me?
This vulnerability exists in TransformerOptimus SuperAGI up to version 0.0.14, specifically in the update_organisation function within the Organisation Update Endpoint. It involves manipulation of the organisation_id argument, which leads to an authorization bypass. This means an attacker can remotely exploit this flaw to bypass normal access controls.
How can this vulnerability impact me? :
The vulnerability allows an attacker to bypass authorization controls remotely, potentially enabling unauthorized updates to organisation data. This could lead to unauthorized changes or access within the affected system, compromising data integrity and security.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized PUT requests to the endpoint `/api/organisations/update/{organisation_id}` where the `organisation_id` parameter is manipulated to update organizations without proper authorization.
A practical detection method is to inspect logs or capture network traffic for PUT requests that modify organization names or descriptions, especially those coming from authenticated users who should not have permission to update the targeted organization.
Example command using curl to test if the vulnerability exists (requires a valid JWT token):
- curl -X PUT https://<target-domain>/api/organisations/update/3 -H "Authorization: Bearer <valid_jwt_token>" -H "Content-Type: application/json" -d '{"name": "Test Org", "description": "Test Description"}'
If the request succeeds in updating an organization that the user should not have access to, it indicates the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing proper authorization checks in the `update_organisation` function to verify that the authenticated user is a member of or has permission to modify the targeted organization.
Restrict the PUT `/api/organisations/update/{organisation_id}` endpoint to ensure that only authorized users can update organization details.
In the short term, monitor and audit logs for suspicious update attempts and consider temporarily disabling or restricting access to the vulnerable endpoint if possible.
Notify users and administrators about the risk of unauthorized modifications and advise caution with JWT token distribution and usage.