CVE-2026-6582
Published: 19 April 2026
Summary
CVE-2026-6582 is a high-severity Improper Authentication (CWE-287) vulnerability. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-14 (Public Access Protections).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 enforces approved authorizations for access to system resources, directly addressing the missing authentication in the get_vector_db_details endpoint.
SC-14 requires server-side authentication protections for publicly accessible endpoints, mitigating the remotely exploitable unauthenticated vector database management function.
SC-7 monitors and controls communications at external boundaries, restricting network access to the vulnerable endpoint lacking authentication.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authentication on public-facing Vector Database Management Endpoint (CWE-287/306) directly enables remote exploitation of the application without credentials or privileges, matching T1190: Exploit Public-Facing Application.
NVD Description
A flaw has been found in TransformerOptimus SuperAGI up to 0.0.14. Affected by this issue is the function get_vector_db_details of the file superagi/controllers/vector_dbs.py of the component Vector Database Management Endpoint. Executing a manipulation can lead to missing authentication. The attack…
more
can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2026-6582 is a missing authentication vulnerability affecting TransformerOptimus SuperAGI versions up to 0.0.14. The flaw resides in the get_vector_db_details function within the file superagi/controllers/vector_dbs.py, part of the Vector Database Management Endpoint. This issue, classified under CWE-287 (Improper Authentication) and CWE-306 (Missing Authentication for Critical Function), allows unauthorized access to sensitive vector database details and carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), rated as High severity.
Remote attackers require no privileges, user interaction, or special conditions to exploit this vulnerability over the network with low complexity. Successful exploitation grants limited access to vector database management functions, potentially enabling low-impact confidentiality, integrity, and availability disruptions, such as unauthorized retrieval or minor manipulation of vector DB details.
Advisories from VulDB and a published GitHub Gist reference indicate no vendor response despite early disclosure contact, with no patches or official mitigations available as of the CVE publication on 2026-04-19. Security practitioners should restrict network access to affected endpoints and monitor for exploit attempts using the disclosed proof-of-concept.
Notable context includes a publicly available exploit, increasing real-world exploitation risk. The vector database component ties into AI/ML workflows, where SuperAGI handles agent-based processing, making this relevant for deployments relying on embedding stores in autonomous AI systems.
Details
- CWE(s)