The vulnerability exists in the on_supervision_call function of afb-daemon, which dispatches eight privileged commands (Exit, Do, Sclose, Config, Trace, Debug, Token, slist) without verifying credentials. The abstract Unix socket @urn:AGL:afs:supervision:socket has no discretionary access control (DAC) protection, as noted in the source code comments. This design flaw permits any local process to invoke these commands, leading to potential denial of service, unauthorized API execution, session termination, and information disclosure. The issue was introduced in a 2017 commit and affects versions through 19.90.0. The CVSS 3.1 base score is 7.8, reflecting high impact on confidentiality, integrity, and availability with low attack complexity and no user interaction required.

An attacker with local access can exploit this vulnerability to kill the afb-daemon process causing denial of service, execute arbitrary API commands with elevated privileges, forcibly close user sessions, and access sensitive global configuration data. This compromises system availability, confidentiality, and integrity. The vulnerability does not require user interaction and has low attack complexity but requires local access.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict local access to trusted users only and monitor for unauthorized local activity targeting the afb-daemon. Consider applying discretionary access controls or socket permissions if possible to limit access to the abstract Unix socket. Do not rely on the current unauthenticated supervision command interface for security.