CVE-2024-9431
Published: 20 March 2025
Summary
CVE-2024-9431 is a high-severity Unverified Password Change (CWE-620) vulnerability in Superagi Superagi. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Account Manipulation (T1098); ranked at the 28.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Other ATLAS/OWASP Terms risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Least privilege directly prevents authenticated users from having unnecessary permissions to change other users' passwords, addressing the core improper privilege management flaw.
Account management requires defined procedures and approvals for modifying accounts, ensuring only authorized personnel can change other users' passwords.
Authenticator management protects password content from unauthorized modification, mitigating the ability of low-privilege users to reset others' passwords.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The improper privilege management vulnerability allows authenticated users to change other users' passwords, directly enabling account manipulation (T1098) for account takeover.
NVD Description
In version v0.0.14 of transformeroptimus/superagi, there is an improper privilege management vulnerability. After logging into the system, users can change the passwords of other users, leading to potential account takeover.
Deeper analysisAI
CVE-2024-9431 is an improper privilege management vulnerability (CWE-620) affecting version v0.0.14 of transformeroptimus/superagi. The flaw allows authenticated users to change the passwords of other users after logging into the system, potentially enabling account takeover. It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low attack complexity, and significant impacts on confidentiality, integrity, and availability.
An attacker with low-privilege access, such as a standard authenticated user, can exploit this vulnerability remotely over the network without requiring user interaction. By leveraging the improper privilege management, the attacker can reset passwords for higher-privilege accounts or other targets, achieving full account takeover and potentially escalating control over the system.
The primary advisory is available via the Huntr.com bounty report at https://huntr.com/bounties/9b33d7c1-ed0a-4f5b-a378-694570fd990b, which details the issue discovered in transformeroptimus/superagi v0.0.14. Security practitioners should consult this reference for guidance on patches, workarounds, or updated versions addressing the vulnerability.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- The vulnerability affects SuperAGI (transformeroptimus/superagi), an open-source autonomous AI agent framework/platform, fitting AI Agent Protocols and Integrations. Reported on an AI/ML bug bounty platform (huntr.com).