TransformerOptimus SuperAGI Authorization Bypass Vulnerability in Project Management Endpoints

A security vulnerability allowing authorization bypass has been identified in TransformerOptimus SuperAGI versions through 0.0.14. The issue resides in the project management endpoints within the file superagi/controllers/project.py. Specifically, the functions get_project, update_project, and get_projects_organisation are affected. These endpoints authenticate users but fail to verify organization membership, allowing cross-organization access and modification of project data. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability leads to unauthorized access and modification of projects across different organizations, allowing attackers to bypass authorization checks and manipulate project data. This could disrupt workflows and cause data integrity issues.

Reproduction

To reproduce this vulnerability, authenticate as a user and obtain a valid JWT token. Then, use the token to access the vulnerable endpoints. The get_projects_organisation endpoint can be used to list all projects for any organization by ID, without any membership verification. The get_project and update_project endpoints can be used to read and modify specific projects, respectively, also without organization checks.