CVE-2026-37525

Name of the Vulnerable Software and Affected Versions AGL app-framework-binder (afb-daemon) versions prior to 19.90.1

Description A privilege escalation issue exists in the supervision Do command. The on supervision call() function in src/afb-supervision.c nullifies request credentials by calling afb context change cred(&xreq->context, NULL) before dispatching an API call. Because the api and verb parameters are controlled via JSON input, an attacker can execute any registered API with a NULL credential context. If an API relies on context->credentials for authorization, it may fail open, allowing the attacker to gain elevated privileges.

Recommendations Update to a version later than 19.90.0.