CVE-2024-12048
Published: 20 March 2025
Summary
CVE-2024-12048 is a high-severity Missing Critical Step in Authentication (CWE-304) vulnerability in Superagi Superagi. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Cloud Account (T1087.004); ranked at the 43.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7030
Vulnerability details
An IDOR (Insecure Direct Object Reference) vulnerability exists in transformeroptimus/superagi version v0.0.14. The application fails to properly check authorization for multiple API endpoints, allowing attackers to view, edit, and delete other users' information without proper authorization. Affected endpoints include but…
more
are not limited to /get/project/{project_id}, /get/schedule_data/{agent_id}, /delete/{agent_id}, /get/organisation/{organisation_id}, and /get/user/{user_id}.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
IDOR vulnerability enables exploitation of public-facing API (T1190), cloud account discovery via /get/user/{user_id} (T1087.004), and account manipulation via unauthorized view/edit/delete of other users' projects, agents, organizations, and user data (T1098).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Per-request decision making makes it harder to bypass authorization using user-controlled keys without proper validation in the decision process.
Consistent enforcement of approved authorizations makes bypassing via user-controlled keys ineffective.
Ensures the authentication process is followed for non-organizational users, avoiding missing critical steps.