_explained / superagi-path-traversal-flaw-lets-attackers-hijack-servers
HIGH PLAIN ENGLISH 5 min read

Popular AI Agent Platform Has a Flaw That Lets Hackers Plant Files Anywhere on Your Server

A high-severity bug in SuperAGI lets remote attackers write files wherever they want on your server — and public exploit code is already out there.

2026-04-20 · Read technical analysis →
💬
PLAIN ENGLISH EDITION

This article is written for general audiences — no security background needed. For the full technical analysis with CVE details, affected versions, and code-level breakdown, visit Intel Reports.

SuperAGI Path Traversal Vulnerability

If you're running an AI agent on your own server using SuperAGI, someone on the internet could right now be writing malicious files directly into the guts of your system — without your password, without your permission, and without you ever knowing.

Who's at Risk — and Why It Matters

SuperAGI, built by TransformerOptimus, is one of the more popular open-source platforms for deploying autonomous AI agents — the kind that can browse the web, write code, manage files, and execute tasks on your behalf. Developers, startups, and research teams around the world self-host it to build and run their own AI workflows. According to the project's GitHub repository, it has accumulated tens of thousands of stars and has been forked thousands of times, suggesting a wide and active deployment base.

Every single installation running SuperAGI version 0.0.14 or earlier carries this vulnerability. Given that this is a self-hosted platform — meaning people run it on their own cloud servers, home labs, or corporate infrastructure — the blast radius here isn't one company's data center. It's potentially thousands of independent deployments, each one a separate target, many of them maintained by small teams or solo developers who may not have robust security monitoring in place.

What an Attacker Can Actually Do to You

Here's the scenario in plain terms. SuperAGI lets you upload files to help your AI agent do its work — documents to read, data to process, resources to use. When you upload a file, you give it a name. Normally, that file lands in a safe, designated folder and stays there. But this vulnerability means an attacker can trick the system by crafting a sneaky file name — something like ../../evil.py — that acts like a set of directions, telling the server to walk backward through your folder structure and deposit the file somewhere it absolutely should not go. Think of it like a delivery driver who, instead of dropping a package at your front door, reads the label and decides to walk through your house and leave it next to your fuse box.

Once an attacker can write a file to an arbitrary location on your server, the situation escalates fast. They can overwrite configuration files to change how your system behaves. They can plant scripts in locations that get executed automatically. On a server running SuperAGI — which, by design, has the ability to run code and commands as part of its normal operation — the line between "dropped a file" and "took over your machine" is dangerously thin. In short: a file upload becomes a full server takeover.

What makes this especially urgent is the attacker doesn't need to be logged in as you. This attack can be launched remotely, over the internet, by anyone who can reach your SuperAGI instance. If your deployment is publicly accessible — even partially — you are exposed. The vendor was contacted ahead of public disclosure and did not respond, meaning there is currently no official patch from TransformerOptimus, and the exploit code has been made publicly available, lowering the skill bar for anyone who wants to try it.

The Technical Anchor

For security researchers and defenders: this is a path traversal vulnerability (CWE-22) in the Upload function located in superagi/controllers/resources.py, specifically within the Multipart Upload Handler component. The vulnerable parameter is the Name argument passed during a multipart file upload request. There is no apparent sanitization of directory traversal sequences (../) in the filename before the server resolves the final write path. The vulnerability carries a CVSS score of 7.3 (HIGH) and is tracked as CVE-2026-6615. Because SuperAGI's agent runtime inherently executes code and shell commands as part of its function, successful file write primitives here have a clear, low-friction path to Remote Code Execution (RCE).

Has This Been Used in the Wild?

As of this writing, no confirmed active exploitation campaigns have been attributed to CVE-2026-6615. However, that window closes fast once public exploit code exists — and it already does. The vulnerability was discovered and disclosed publicly, with the researcher noting that the vendor, TransformerOptimus, was contacted early in the process but did not respond in any way. That silence means the community cannot expect an emergency patch to arrive on any predictable timeline. Security teams tracking AI infrastructure threats should add this CVE to their watchlists immediately. The combination of a public exploit, a non-responsive vendor, and a widely deployed open-source AI platform is precisely the recipe that attracts opportunistic attackers within days of disclosure.

What You Should Do Right Now

If you or your organization runs SuperAGI, take these three steps immediately:

  1. Isolate your SuperAGI instance from public internet access. Place it behind a VPN or firewall rule that restricts access to known, trusted IP addresses only. This is the single highest-impact action you can take today. Any SuperAGI deployment reachable from the open internet on its default port (typically 8001) should be considered actively at risk.
  2. Audit your deployment for signs of unexpected files. Check directories outside of the intended superagi/resources/ upload path for any recently modified or unfamiliar files. Pay particular attention to executable files (.py, .sh, .js) and configuration files that may have been overwritten. Use a command like find / -newer /var/log/syslog -type f 2>/dev/null (adjusted for your OS) to surface recently changed files.
  3. Monitor the official SuperAGI GitHub repository (github.com/TransformerOptimus/SuperAGI) for a patched release above version 0.0.14. Watch the releases page and subscribe to security advisories. Do not upgrade to a new version assuming it is fixed — verify the changelog explicitly mentions a fix for CVE-2026-6615 or the path traversal issue in resources.py. Until a verified patch exists, treat the isolation step above as mandatory, not optional.

CVE: CVE-2026-6615 | CVSS: 7.3 HIGH | Affected versions: SuperAGI ≤ 0.0.14 | Patch available: No (as of publication) | Public exploit: Yes

// TOPICS
#path-traversal#file-upload#remote-code-execution#multipart-handler#directory-traversal
// WANT MORE DETAIL?

The technical analysis covers the exact vulnerability mechanism, affected code paths, attack chain, detection methods, and full remediation guide.

Read technical analysis →
Share on X → Get weekly digest →
// TOOLS WE RECOMMEND
NordVPN →

Encrypt your traffic against the threats we explain here.
NordPass →

Stop credential theft. Password manager from Nord Security.
Saily eSIM →

Travel privately. eSIM data for 150+ countries, 10% off.

Affiliate links — commission earned at no cost to you.