CVE-2026-6585
Received Received - Intake
Authorization Bypass in TransformerOptimus SuperAGI Organisation Update Endpoint

Publication date: 2026-04-20

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was determined in TransformerOptimus SuperAGI up to 0.0.14. This issue affects the function update_organisation of the file superagi/controllers/organisation.py of the component Organisation Update Endpoint. This manipulation of the argument organisation_id causes authorization bypass. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-20
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-6585
EUVD
EUVD-2026-23723
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
transformeroptimus superagi to 0.0.14 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability CVE-2026-6585 allows unauthorized modification of organization data due to an authorization bypass in the update_organisation function. This can lead to data integrity issues and potential phishing risks by maliciously renaming organizations.

Such unauthorized data manipulation can negatively impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls over data integrity, access authorization, and protection against unauthorized data modification.

Specifically, the lack of proper authorization checks means that authenticated users can alter organizational information without permission, potentially violating principles of data accuracy and security mandated by these regulations.

Executive Summary

This vulnerability exists in TransformerOptimus SuperAGI up to version 0.0.14, specifically in the update_organisation function within the Organisation Update Endpoint. It involves manipulation of the organisation_id argument, which leads to an authorization bypass. This means an attacker can remotely exploit this flaw to bypass normal access controls.

Impact Analysis

The vulnerability allows an attacker to bypass authorization controls remotely, potentially enabling unauthorized updates to organisation data. This could lead to unauthorized changes or access within the affected system, compromising data integrity and security.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized PUT requests to the endpoint `/api/organisations/update/{organisation_id}` where the `organisation_id` parameter is manipulated to update organizations without proper authorization.

A practical detection method is to inspect logs or capture network traffic for PUT requests that modify organization names or descriptions, especially those coming from authenticated users who should not have permission to update the targeted organization.

Example command using curl to test if the vulnerability exists (requires a valid JWT token):

  • curl -X PUT https://<target-domain>/api/organisations/update/3 -H "Authorization: Bearer <valid_jwt_token>" -H "Content-Type: application/json" -d '{"name": "Test Org", "description": "Test Description"}'

If the request succeeds in updating an organization that the user should not have access to, it indicates the presence of the vulnerability.

Mitigation Strategies

Immediate mitigation steps include implementing proper authorization checks in the `update_organisation` function to verify that the authenticated user is a member of or has permission to modify the targeted organization.

Restrict the PUT `/api/organisations/update/{organisation_id}` endpoint to ensure that only authorized users can update organization details.

In the short term, monitor and audit logs for suspicious update attempts and consider temporarily disabling or restricting access to the vulnerable endpoint if possible.

Notify users and administrators about the risk of unauthorized modifications and advise caution with JWT token distribution and usage.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6585. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart