CVE-2026-37525
Received Received - Intake
Privilege Escalation in AGL app-framework-binder

Publication date: 2026-05-01

Last updated on: 2026-05-01

Assigner: MITRE

Description
AGL app-framework-binder (afb-daemon) through v19.90.0 contains a privilege escalation vulnerability in the supervision Do command. The on_supervision_call function in src/afb-supervision.c explicitly nullifies the request credentials by calling afb_context_change_cred(&xreq->context, NULL) before dispatching an attacker-controlled API call via xapi->itf->call(xapi->closure, xreq). The NULL propagation chain through afb-context.c:110 (context->credentials = afb_cred_addref(NULL)) and afb-cred.c:163 (returns NULL when cred is NULL) confirms that credentials are zeroed before the target API executes. The attacker controls both api and verb parameters via JSON input, allowing execution of any registered API with a NULL credential context. APIs that rely on context->credentials for authorization decisions may fail open when receiving NULL credentials, enabling privilege escalation. This vulnerability was introduced in commit abbb4599f0b921c6f434b6bd02bcfb277eecf745 on 2018-02-14.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-01
Generated
2026-05-07
AI Q&A
2026-05-01
EPSS Evaluated
2026-05-05
NVD
CVE-2026-37525
EUVD
EUVD-2026-26681
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
agl app-framework-binder 19.90.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the AGL app-framework-binder (afb-daemon) up to version 19.90.0 and involves a privilege escalation issue in the supervision Do command.

Specifically, the function on_supervision_call nullifies the request credentials before dispatching an API call controlled by the attacker. This means the credentials are set to NULL before the target API executes.

Because the attacker controls the API and verb parameters via JSON input, they can execute any registered API with a NULL credential context.

If the APIs rely on the credentials in the context for authorization, they may fail open when receiving NULL credentials, allowing the attacker to escalate privileges.


How can this vulnerability impact me? :

This vulnerability can allow an attacker with limited privileges to escalate their privileges by executing API calls without proper authorization checks.

Because the credentials are nullified before the API call, APIs that depend on these credentials for security may inadvertently grant higher access or perform sensitive actions.

The impact includes potential unauthorized access to sensitive data, modification of system settings, or disruption of services, as indicated by the high CVSS score (7.8) with high impact on confidentiality, integrity, and availability.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows privilege escalation by enabling attacker-controlled API calls with NULL credential contexts, potentially bypassing authorization checks. This could lead to unauthorized access to sensitive data or system functions.

Such unauthorized access and privilege escalation may result in violations of common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive information.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart