Cyber Resilience

CVE-2024-12048

HighPublic PoC

Published: 20 March 2025

Published
20 March 2025
Modified
18 July 2025
KEV Added
Patch
CVSS Score v3 8.8 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0021 43.8th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12048 is a high-severity Missing Critical Step in Authentication (CWE-304) vulnerability in Superagi Superagi. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Cloud Account (T1087.004); ranked at the 43.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

An IDOR (Insecure Direct Object Reference) vulnerability exists in transformeroptimus/superagi version v0.0.14. The application fails to properly check authorization for multiple API endpoints, allowing attackers to view, edit, and delete other users' information without proper authorization. Affected endpoints include but…

more

are not limited to /get/project/{project_id}, /get/schedule_data/{agent_id}, /delete/{agent_id}, /get/organisation/{organisation_id}, and /get/user/{user_id}.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1087.004 Cloud Account Discovery
Adversaries may attempt to get a listing of cloud accounts.
T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

IDOR vulnerability enables exploitation of public-facing API (T1190), cloud account discovery via /get/user/{user_id} (T1087.004), and account manipulation via unauthorized view/edit/delete of other users' projects, agents, organizations, and user data (T1098).

Affected Assets

superagi
superagi
0.0.14

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-639

Per-request decision making makes it harder to bypass authorization using user-controlled keys without proper validation in the decision process.

addresses: CWE-639

Consistent enforcement of approved authorizations makes bypassing via user-controlled keys ineffective.

addresses: CWE-304

Ensures the authentication process is followed for non-organizational users, avoiding missing critical steps.

References