CVE-2026-37526
Privilege Escalation in AGL app-framework-binder
Publication date: 2026-05-01
Last updated on: 2026-05-01
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| agl | app-framework-binder | 19.90.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the AGL app-framework-binder (afb-daemon) up to version 19.90.0. It allows any local process to execute privileged supervision commands without authentication by connecting to an abstract Unix socket named @urn:AGL:afs:supervision:socket.
The function on_supervision_call in the source code dispatches eight commands (Exit, Do, Sclose, Config, Trace, Debug, Token, slist) without verifying the credentials of the caller. The socket has no discretionary access control (DAC) protection, which means low-privileged local processes can exploit this to perform actions normally restricted to privileged users.
Exploiting this vulnerability can allow an attacker to kill the daemon (causing denial of service), execute arbitrary API calls, close user sessions, or leak the entire global configuration.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including:
- Denial of Service (DoS) by killing the daemon using the Exit command.
- Execution of arbitrary API calls, potentially allowing unauthorized actions.
- Closure of arbitrary user sessions, disrupting legitimate users.
- Leakage of the entire global configuration, exposing sensitive system information.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows any local process to execute privileged supervision commands without authentication, potentially leading to unauthorized access, data leakage, and denial of service.
Such unauthorized access and data leakage could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls on access to sensitive data and system integrity.
However, the provided information does not explicitly mention compliance impacts or specific regulatory considerations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the agl app-framework-binder (afb-daemon) allowing local processes to execute privileged supervision commands without authentication via the abstract Unix socket @urn:AGL:afs:supervision:socket.
Detection can focus on checking for the presence of the abstract Unix socket @urn:AGL:afs:supervision:socket and monitoring or attempting to interact with it.
- Use commands like `ss -xl | grep @urn:AGL:afs:supervision:socket` or `netstat -ax | grep @urn:AGL:afs:supervision:socket` to detect the presence of the abstract Unix socket.
- Attempt to connect to the socket using tools like `socat` or `nc` to see if commands can be sent without authentication.
- Check running processes for the afb-daemon and verify its version to confirm if it is at or below v19.90.0.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the abstract Unix socket @urn:AGL:afs:supervision:socket to trusted users only, as it currently lacks discretionary access control (DAC) protection.
Consider stopping or restarting the afb-daemon if possible, and upgrading to a patched version once available.
Monitor and audit usage of the supervision commands (Exit, Do, Sclose, Config, Trace, Debug, Token, slist) to detect any unauthorized activity.