AGL app-framework-binder Privilege Escalation (CVE-2026-37525)

/HIGH /CVSS 7.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityprivilege-escalation
AGL app-framework-binder Privilege Escalation (CVE-2026-37525)

The National Vulnerability Database has detailed CVE-2026-37525, a high-severity privilege escalation vulnerability in AGL app-framework-binder (afb-daemon) through v19.90.0. This flaw resides within the supervision Do command, specifically in the on_supervision_call function in src/afb-supervision.c. The core issue, as described by the National Vulnerability Database, is that the function explicitly nullifies request credentials by calling afb_context_change_cred(&xreq->context, NULL) before dispatching an attacker-controlled API call.

This nullification means that any registered API can be executed with a NULL credential context. According to the National Vulnerability Database, APIs that rely on context->credentials for authorization decisions may fail open, effectively granting an attacker elevated privileges. The vulnerability was introduced in a commit from February 14, 2018, indicating a long-standing weakness in the framework. The CVSSv3.1 score is 7.8 (HIGH), with a vector of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, highlighting significant impacts on confidentiality, integrity, and availability from a low-privilege local attacker.

While specific affected products beyond the AGL app-framework-binder itself are not enumerated, any system integrating this component is potentially at risk. The attacker’s calculus here is straightforward: gain initial low-level access, then exploit this vulnerability to escalate privileges and take control of the underlying system. This is a critical building block for broader compromise.

What This Means For You

  • If your organization utilizes AGL app-framework-binder, you need to immediately assess your exposure to CVE-2026-37525. Review your versions and determine if patches are available for afb-daemon through v19.90.0. A local attacker can leverage this for full system compromise, so prioritize patching or implementing compensating controls.

Related ATT&CK Techniques

T1068 Exploitation for Privilege Escalation Privilege Escalation T1548.002 Setuid and Setgid Privilege Escalation

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1068 Privilege Escalation

Privilege Escalation via AGL app-framework-binder Supervision Do Command - CVE-2026-37525

Sigma YAML — free preview 
title: Privilege Escalation via AGL app-framework-binder Supervision Do Command - CVE-2026-37525
id: scw-2026-05-01-ai-1
status: experimental
level: critical
description: |
  Detects the execution of the afb-daemon process with command line arguments indicative of the CVE-2026-37525 privilege escalation vulnerability. The vulnerability is triggered when the 'supervision.do' command is invoked with attacker-controlled 'api' and 'verb' parameters, allowing for the execution of arbitrary registered APIs with null credentials due to improper credential handling in afb-context.c and afb-cred.c. This rule specifically looks for the afb-daemon binary and the presence of 'supervision.do' along with JSON-like structures for API and verb parameters in the command line.
author: SCW Feed Engine (AI-generated)
date: 2026-05-01
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-37525/
tags:
  - attack.privilege_escalation
  - attack.t1068
logsource:
    category: process_creation
detection:
  selection:
      Image|startswith:
          - '/usr/bin/afb-daemon'
      CommandLine|contains:
          - 'supervision.do'
      CommandLine|contains:
          - '{"api":"' 
      CommandLine|contains:
          - '","verb":"'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-37525 Privilege Escalation AGL app-framework-binder (afb-daemon) through v19.90.0
CVE-2026-37525 Privilege Escalation Vulnerable function: on_supervision_call in src/afb-supervision.c
CVE-2026-37525 Privilege Escalation Vulnerable command: supervision Do command
CVE-2026-37525 Privilege Escalation Credential nullification via afb_context_change_cred(&xreq->context, NULL)

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 01, 2026 at 20:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7588 — Ggerve Coding-Standards-Mcp Path Traversal

CVE-2026-7588 — A vulnerability was found in ggerve coding-standards-mcp. This issue affects the function get_style_guide/get_best_practices of the file server.py. The manipulation of the argument Language...

vulnerabilityCVEmedium-severitypath-traversalcwe-22
/SCW Vulnerability Desk /MEDIUM /5.3 /⚑ 2 IOCs /⚙ 3 Sigma

CVE-2026-35233 — Denial of Service

CVE-2026-35233 — An unprivileged attacker can craft a user-space process with a malicious ELF binary containing an out-of-range sh_link field. When root-level dtrace attaches to...

vulnerabilityCVEmedium-severitydenial-of-service
/SCW Vulnerability Desk /MEDIUM /4.4 /⚑ 1 IOC /⚙ 3 Sigma

CVE-2026-7587 — Open5GS Denial of Service

CVE-2026-7587 — A vulnerability has been found in Open5GS up to 2.7.7. This vulnerability affects the function amf_nsmf_pdusession_handle_update_sm_context of the file /src/amf/nsmf-handler.c of the component...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-404
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 2 IOCs