CVE-2026-6586
Received Received - Intake
Authorization Bypass in TransformerOptimus SuperAGI Budget Endpoint

Publication date: 2026-04-20

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was identified in TransformerOptimus SuperAGI up to 0.0.14. Impacted is the function get_budget/update_budget of the file superagi/controllers/budget.py of the component Budget Endpoint. Such manipulation leads to authorization bypass. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-20
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-6586
EUVD
EUVD-2026-23726
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
transformeroptimus superagi to 0.0.14 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in TransformerOptimus SuperAGI versions up to 0.0.14, specifically in the get_budget and update_budget functions within the superagi/controllers/budget.py file of the Budget Endpoint component.

The issue allows an attacker to bypass authorization controls, meaning they can manipulate budget-related functions without proper permissions.

The attack can be launched remotely, and there is a publicly available exploit that could be used to take advantage of this vulnerability.

Impact Analysis

This vulnerability can lead to unauthorized access and manipulation of budget-related functions in the affected software.

An attacker exploiting this flaw could bypass authorization controls remotely, potentially altering budget data or operations without permission.

Such unauthorized actions could result in financial discrepancies, data integrity issues, or misuse of resources managed by the Budget Endpoint.

Compliance Impact

The vulnerability allows unauthorized users to access and modify budget data belonging to any organization without proper authorization checks.

Such unauthorized access and manipulation of sensitive financial data could lead to violations of data protection and privacy regulations like GDPR and HIPAA, which require strict controls over access to personal and organizational data.

Specifically, the lack of authorization checks may result in unauthorized disclosure and alteration of sensitive information, undermining confidentiality and integrity requirements mandated by these standards.

Detection Guidance

This vulnerability can be detected by testing the budget management endpoints of the SuperAGI application for authorization bypass issues. Specifically, you can attempt to access or modify budgets belonging to other organizations using valid authentication tokens but without proper ownership verification.

Proof of Concept (PoC) commands include sending HTTP requests with a valid JWT token to the following endpoints:

  • GET request to /api/budgets/get/{budget_id} to read any organization's budget.
  • PUT request to /api/budgets/update/{budget_id} with JSON data to modify any organization's budget.

For example, using curl commands:

  • curl -H "Authorization: Bearer <valid_jwt_token>" https://<target>/api/budgets/get/123
  • curl -X PUT -H "Authorization: Bearer <valid_jwt_token>" -H "Content-Type: application/json" -d '{"budget":0,"cycle":"new_cycle"}' https://<target>/api/budgets/update/123
Mitigation Strategies

Immediate mitigation steps include restricting access to the affected budget endpoints to only authorized users who own the budgets they are trying to access or modify.

Since the vulnerability arises from missing organization ownership checks, you should implement or enforce authorization checks that verify the budget belongs to the authenticated user's organization before allowing read or update operations.

Additionally, monitor and audit access logs for unusual activity such as attempts to enumerate budget IDs or unauthorized modifications.

If possible, temporarily disable or restrict access to the budget management endpoints until a proper fix or patch is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6586. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart