AGL app-framework-binder CVE-2026-37526 Allows Local Privilege Escalation

May 01, 2026 20:16 /HIGH /CVSS 7.8/10

Written by SCW Vulnerability Desk Vulnerability Intelligence

SCW vulnerabilitycvehigh-severitydenial-of-service

AGL app-framework-binder CVE-2026-37526 Allows Local Privilege Escalation

The National Vulnerability Database has detailed CVE-2026-37526, a high-severity vulnerability (CVSS 7.8) in AGL’s app-framework-binder (afb-daemon) up to version 19.90.0. This flaw allows any local process to execute privileged supervision commands without authentication. The vulnerability stems from the on_supervision_call function in src/afb-supervision.c, which dispatches critical commands like Exit, Do, Sclose, Config, Trace, Debug, Token, and slist without any credential verification.

The exploit vector is an abstract Unix socket, @urn:AGL:afs:supervision:socket, which lacks DAC protection. This design oversight, acknowledged in the official CAUTION comment within src/afs-supervision.h, enables low-privileged local processes to perform severe actions. Attackers can trigger a Denial-of-Service by killing the daemon, execute arbitrary API calls, close user sessions, or exfiltrate the entire global configuration.

This vulnerability was introduced in a commit dating back to June 29, 2017, highlighting a long-standing security gap. Defenders must recognize that local privilege escalation vulnerabilities, especially those exposing critical daemon functions, are prime targets for attackers looking to pivot from initial access to full system control. The lack of authentication on such a critical interface is a fundamental security failure.

What This Means For You

If your organization utilizes AGL's app-framework-binder, specifically versions up to 19.90.0, you are exposed to local privilege escalation. Immediately audit your systems for this software and apply any available patches or mitigations to restrict access to the abstract Unix socket. This isn't just a DoS risk; it's a direct path to arbitrary code execution and data exfiltration from a low-privileged foothold.

Related ATT&CK Techniques

T1219 Abuse Elevation Control Mechanism Privilege Escalation T1059.004 Command and Scripting Interpreter: Unix Shell Execution T1562.001 Impair Defenses: Disable or Modify System Firewall Defense Evasion

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1219 Privilege Escalation

CVE-2026-37526 - AGL app-framework-binder Local Privilege Escalation via Supervision Socket

Sigma YAML — free preview

title: CVE-2026-37526 - AGL app-framework-binder Local Privilege Escalation via Supervision Socket
id: scw-2026-05-01-ai-1
status: experimental
level: critical
description: |
  Detects the execution of the 'afb_client' utility attempting to interact with the AGL app-framework-binder daemon's supervision socket. This rule specifically targets the unauthenticated execution of privileged commands (Exit, Do, Sclose, Config, Trace, Debug, Token, slist) via the abstract Unix socket '@urn:AGL:afs:supervision:socket', which is indicative of CVE-2026-37526. This allows a local, low-privileged process to escalate privileges by manipulating the daemon.
author: SCW Feed Engine (AI-generated)
date: 2026-05-01
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-37526/
tags:
  - attack.privilege_escalation
  - attack.t1219
logsource:
    category: process_creation
detection:
  selection:
      Image|contains:
          - '/usr/bin/afb-daemon'
      ParentImage|contains:
          - '/bin/sh'
      CommandLine|contains:
          - 'afb_client --socket @urn:AGL:afs:supervision:socket --method Exit'
          - 'afb_client --socket @urn:AGL:afs:supervision:socket --method Do'
          - 'afb_client --socket @urn:AGL:afs:supervision:socket --method Sclose'
          - 'afb_client --socket @urn:AGL:afs:supervision:socket --method Config'
          - 'afb_client --socket @urn:AGL:afs:supervision:socket --method Trace'
          - 'afb_client --socket @urn:AGL:afs:supervision:socket --method Debug'
          - 'afb_client --socket @urn:AGL:afs:supervision:socket --method Token'
          - 'afb_client --socket @urn:AGL:afs:supervision:socket --method slist'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

ID	Type	Indicator
CVE-2026-37526	Privilege Escalation	AGL app-framework-binder (afb-daemon) through v19.90.0
CVE-2026-37526	Auth Bypass	abstract Unix socket @urn:AGL:afs:supervision:socket
CVE-2026-37526	Code Injection	on_supervision_call function in src/afb-supervision.c allows 'Do' command execution
CVE-2026-37526	Information Disclosure	on_supervision_call function in src/afb-supervision.c allows 'Config' command to leak global configuration
CVE-2026-37526	DoS	on_supervision_call function in src/afb-supervision.c allows 'Exit' command to kill daemon

Written by SCW Vulnerability Desk

Source & Attribution

Source Platform	NVD
Channel	National Vulnerability Database
Published	May 01, 2026 at 20:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

What This Means For You

Related ATT&CK Techniques

🛡️ Detection Rules

CVE-2026-37526 - AGL app-framework-binder Local Privilege Escalation via Supervision Socket

Indicators of Compromise

Related coverage

CVE-2026-7588 — Ggerve Coding-Standards-Mcp Path Traversal

CVE-2026-35233 — Denial of Service

CVE-2026-7587 — Open5GS Denial of Service