CVE-2024-45187

HIGH

Mage AI - Privilege Escalation

Title source: llm

Description

Guest users in the Mage AI framework that remain logged in after their accounts are deleted, are mistakenly given high privileges and specifically given access to remotely execute arbitrary code through the Mage AI terminal server

References (1)

[Third Party Advisory] https://research.jfrog.com/vulnerabilities/mage-ai-deleted-users-rce-jfsa-2024-001039602/

Scores

CVSS v3 7.1

EPSS 0.0008

EPSS Percentile 24.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-266 CWE-613

Status published

Products (2)

mage/mage-ai

pypi/mage-ai 0PyPI

Published Aug 23, 2024

Tracked Since Feb 18, 2026