TransformerOptimus SuperAGI Organisation Update Endpoint Authorization Bypass Vulnerability

An authorization bypass vulnerability has been identified in the SuperAGI application, specifically in versions up to and including 0.0.14. The issue resides in the 'update_organisation' function within 'superagi/controllers/organisation.py'. This vulnerability allows any authenticated user to modify the name and description of any organization by manipulating the 'organisation_id' parameter. The endpoint fails to verify whether the user belongs to the organization being modified, enabling unauthorized changes. This vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for unauthorized modification of organization names and descriptions, potentially leading to data integrity issues and confusion among users.

Reproduction

To reproduce this vulnerability, authenticate as a user and obtain a valid JWT token. Then, send a PUT request to the '/organisations/update/{organisation_id}' endpoint, replacing '{organisation_id}' with the ID of the organization to be modified. Include the new name and description in the request body. The absence of organization membership verification will allow the changes to be applied, regardless of the user's actual affiliation with the organization.