CVE-2026-6615
Path Traversal in TransformerOptimus SuperAGI Multipart Upload Handler
Publication date: 2026-04-20
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| transformeroptimus | superagi | to 0.0.14 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in TransformerOptimus SuperAGI up to version 0.0.14, specifically in the Upload function of the Multipart Upload Handler component. It involves manipulation of the argument 'Name' which leads to a path traversal issue. This means an attacker can remotely exploit this weakness to access or modify files outside the intended directory structure.
How can this vulnerability impact me? :
The vulnerability allows remote attackers to perform path traversal attacks, potentially enabling them to access, modify, or overwrite files on the affected system. This can lead to unauthorized data exposure, data corruption, or further compromise of the system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated remote attackers to perform arbitrary file writes on the backend server via path traversal, potentially leading to remote code execution, full system compromise, or denial of service.
Such a security weakness can impact compliance with common standards and regulations like GDPR and HIPAA because it threatens the confidentiality, integrity, and availability of sensitive data stored or processed by the affected system.
If exploited, attackers could overwrite critical files or inject malicious code, potentially leading to unauthorized access or data breaches involving personal or protected health information, which are violations of these regulations.
Therefore, this vulnerability poses a significant risk to maintaining regulatory compliance by undermining the security controls required to protect sensitive data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the resource upload endpoint `/resources/add/{agent_id}` for path traversal attempts in the filename parameter.
A practical detection method is to send a crafted HTTP POST request with a multipart form containing a filename with directory traversal sequences such as `../../../../../../../../../../tmp/pwned_traversal.txt`.
For example, using curl to test the vulnerability:
- curl -X POST "http://target-server/resources/add/agent_id" -F "name=legit_name.txt" -F "file=@./localfile.txt;filename=../../../../../../../../../../tmp/pwned_traversal.txt"
After sending the request, verify if the file `pwned_traversal.txt` appears in the `/tmp` directory on the backend server, indicating successful exploitation.
Additionally, monitoring network traffic for suspicious POST requests to the `/resources/add/` endpoint with unusual filename patterns containing `../` sequences can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable upload endpoint to trusted and authenticated users only.
Implement input validation and sanitization on the filename parameter to prevent directory traversal sequences. Use defensive functions such as `werkzeug.utils.secure_filename` or path normalization methods like `os.path.abspath` to sanitize filenames before saving.
If possible, disable or restrict the upload functionality until a patch or fix is available.
Monitor your system for any unauthorized file writes or suspicious activity related to the upload endpoint.
Since no known patches are available at the time of the report, consider isolating the affected system or running it with minimal privileges to limit potential damage.