CVE-2026-6615: TransformerOptimus SuperAGI Path Traversal

Danger

Zero-Day Alert: CVE-2026-6615 is a critical Path Traversal vulnerability affecting TransformerOptimus SuperAGI (versions up to 0.0.14). Exploitation allows unauthenticated remote attackers to write arbitrary files to the host system, leading directly to Remote Code Execution (RCE). At the time of disclosure, the vendor has not responded, rendering this an unpatched zero-day vulnerability in the wild.

Executive Summary

SuperAGI is an open-source framework designed for developing and deploying autonomous AI agents. As organizations increasingly deploy agentic AI frameworks connected to internal networks, vulnerabilities within these tools present a massive attack surface.

CVE-2026-6615 (CVSS 7.3 - 7.5 High) exposes a fundamental flaw in the framework’s resource management component. The vulnerability resides in the Multipart Upload Handler, specifically within superagi/controllers/resources.py. Due to an utter lack of input sanitization on the file Name argument, an attacker can utilize directory traversal sequences (../) to escape the intended upload directory. This allows the attacker to write arbitrary files anywhere on the host filesystem, paving the way for immediate RCE (e.g., by overwriting SSH keys or cron jobs).

Technical Vulnerability Analysis

The vulnerability is rooted in CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).

When a user or agent uploads a file to the SuperAGI Resource Manager, the HTTP POST request is routed to the /api/resources/add/<id> endpoint. The backend Python code in superagi/controllers/resources.py extracts the filename from the multipart form data and uses it directly in file system operations without passing it through a secure sanitization function (like werkzeug.utils.secure_filename or os.path.basename).

By intercepting the HTTP request and modifying the filename parameter to include traversal payloads (e.g., ../../../../../etc/cron.d/malicious), the attacker forces the Python application to resolve the path relative to the root directory, resulting in an arbitrary file write with the privileges of the SuperAGI process.

Exploitation Flow to RCE

The attack complexity is low, and an exploit can be achieved using standard web proxies (like Burp Suite).

1. Target Identification: The attacker accesses the SuperAGI Resource Manager web interface or interacts directly with the API.
2. Payload Crafting: The attacker generates an SSH Public Key (to be used as the payload content).
3. Interception: The attacker uploads a standard .txt file but intercepts the POST request to /api/resources/add/<id>.
4. Path Manipulation: The attacker modifies the filename parameter in the multipart body to: ../../../../../../../../../../../home/<user>/.ssh/authorized_keys.
5. Arbitrary File Write: The SuperAGI server processes the request and writes the attacker’s SSH key into the victim’s authorized_keys file.
6. Remote Code Execution: The attacker connects to the server via SSH without a password, gaining full shell access to the host machine.

Forensic Investigation (CSIRT)

Since this attack leverages the Python process to write files, DFIR analysts should focus on unexpected file creations and suspicious web requests.

• File System Anomalies: Search for recent modifications to highly sensitive configuration files (~/.ssh/authorized_keys, /etc/passwd, /etc/cron.d/*) where the owner or creator is the service account running SuperAGI.
• Web/API Logs: Audit reverse proxy logs (Nginx/Traefik) or SuperAGI application logs for POST requests to /api/resources/add/* containing URL-encoded traversal characters (e.g., %2E%2E%2F).

Detection & Threat Hunting

Deploy the following detection logic to identify exploitation attempts against the SuperAGI resource manager.

Sigma Rule (File Write)

sigma_superagi_arbitrary_write.yaml

title: SuperAGI Arbitrary File Write (CVE-2026-6615)
id: e4b5c6d7-8f9a-0b1c-2d3e-4f5a6b7c8d9e
status: experimental
description: Detects the SuperAGI python process writing files to sensitive system directories (e.g., .ssh), indicating a successful path traversal exploitation.
logsource:
    category: file_event
    product: linux
detection:
    selection:
        Image|endswith:
            - '/python'
            - '/python3'
        TargetFilename|contains|any:
            - '/.ssh/authorized_keys'
            - '/etc/cron.d/'
            - '/etc/passwd'
            - '/etc/shadow'
    condition: selection
level: high
tags:
    - attack.initial_access
    - attack.t1190
    - cve.2026-6615

Splunk (WAF/Proxy Logs)

hunt_superagi_traversal.spl

# Hunt for path traversal payloads targeting the SuperAGI resource upload endpoint
index=web_logs http_method=POST uri_path="/api/resources/add/*"
| search request_body="*..%2F*" OR request_body="*../*" OR request_body="*..\\*"
| table _time, src_ip, uri_path, request_body, status
| sort - _time

Mitigation and Defense

As the vendor has not released an official patch for versions up to 0.0.14 at the time of disclosure, organizations must implement compensating controls immediately:

1. WAF Filtering: Deploy strict Web Application Firewall (WAF) rules to block incoming HTTP requests containing ../ or %2E%2E%2F in multipart form boundaries.
2. Container Isolation: Ensure SuperAGI is deployed within a heavily restricted Docker container. Mount the host file system as Read-Only wherever possible, and restrict the container’s user privileges to prevent writes to /root/ or /etc/.
3. Code Patching (Manual): Manually edit superagi/controllers/resources.py to enforce werkzeug.utils.secure_filename() on the Name argument before saving the file to disk.

---

Sources & References

• Akaoma Vulnerability Analysis: CVE-2026-6615 Exploit Details
• Shimi’s Cyber World: Path Traversal in SuperAGI Exploitable Remotely
• Huntr Bug Bounty: Path Traversal leads to RCE in transformeroptimus/superagi
• Related Analysis: AI Agent Security & Defense-in-Depth