Cyber Resilience

CVE-2024-9447

MediumPublic PoC

Published: 20 March 2025

Published
20 March 2025
Modified
29 July 2025
KEV Added
Patch
CVSS Score v3 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0032 55.0th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-9447 is a medium-severity Exposure of Sensitive Information Through Metadata (CWE-1230) vulnerability in Superagi Superagi. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Application Access Token (T1528); ranked in the top 45.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

An information disclosure vulnerability exists in the latest version of transformeroptimus/superagi. The `/get/organisation/` endpoint does not verify the user's organization, allowing any authenticated user to retrieve sensitive configuration details, including API keys, of any organization. This could lead to unauthorized…

more

access to services and significant data breaches or financial loss.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1528 Steal Application Access Token Credential Access
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

The vulnerability enables any authenticated user to disclose other organizations' sensitive configuration details including API keys via an unauthenticated endpoint, facilitating theft of application access tokens and unsecured credentials in configuration files/data.

Affected Assets

superagi
superagi
0.0.14

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-1230

Identifies sensitive information exposed via metadata during disclosure monitoring.

References