CVE-2026-6615
Received Received - Intake
Path Traversal in TransformerOptimus SuperAGI Multipart Upload Handler

Publication date: 2026-04-20

Last updated on: 2026-04-29

Assigner: VulDB

Description
A weakness has been identified in TransformerOptimus SuperAGI up to 0.0.14. Affected by this issue is the function Upload of the file superagi/controllers/resources.py of the component Multipart Upload Handler. This manipulation of the argument Name causes path traversal. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-20
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-6615
EUVD
EUVD-2026-23801
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
transformeroptimus superagi to 0.0.14 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in TransformerOptimus SuperAGI up to version 0.0.14, specifically in the Upload function of the Multipart Upload Handler component. It involves manipulation of the argument 'Name' which leads to a path traversal issue. This means an attacker can remotely exploit this weakness to access or modify files outside the intended directory structure.

Compliance Impact

The vulnerability allows unauthenticated remote attackers to perform arbitrary file writes on the backend server via path traversal, potentially leading to remote code execution, full system compromise, or denial of service.

Such a security weakness can impact compliance with common standards and regulations like GDPR and HIPAA because it threatens the confidentiality, integrity, and availability of sensitive data stored or processed by the affected system.

If exploited, attackers could overwrite critical files or inject malicious code, potentially leading to unauthorized access or data breaches involving personal or protected health information, which are violations of these regulations.

Therefore, this vulnerability poses a significant risk to maintaining regulatory compliance by undermining the security controls required to protect sensitive data.

Detection Guidance

This vulnerability can be detected by testing the resource upload endpoint `/resources/add/{agent_id}` for path traversal attempts in the filename parameter.

A practical detection method is to send a crafted HTTP POST request with a multipart form containing a filename with directory traversal sequences such as `../../../../../../../../../../tmp/pwned_traversal.txt`.

For example, using curl to test the vulnerability:

  • curl -X POST "http://target-server/resources/add/agent_id" -F "name=legit_name.txt" -F "file=@./localfile.txt;filename=../../../../../../../../../../tmp/pwned_traversal.txt"

After sending the request, verify if the file `pwned_traversal.txt` appears in the `/tmp` directory on the backend server, indicating successful exploitation.

Additionally, monitoring network traffic for suspicious POST requests to the `/resources/add/` endpoint with unusual filename patterns containing `../` sequences can help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable upload endpoint to trusted and authenticated users only.

Implement input validation and sanitization on the filename parameter to prevent directory traversal sequences. Use defensive functions such as `werkzeug.utils.secure_filename` or path normalization methods like `os.path.abspath` to sanitize filenames before saving.

If possible, disable or restrict the upload functionality until a patch or fix is available.

Monitor your system for any unauthorized file writes or suspicious activity related to the upload endpoint.

Since no known patches are available at the time of the report, consider isolating the affected system or running it with minimal privileges to limit potential damage.

Impact Analysis

The vulnerability allows remote attackers to perform path traversal attacks, potentially enabling them to access, modify, or overwrite files on the affected system. This can lead to unauthorized data exposure, data corruption, or further compromise of the system.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6615. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart