Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
Lifecycle Timeline
2DescriptionGitHub Advisory
AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Versions 0.6.36 through 0.6.50 are vulnerable to Authenticated Session Hijacking via IDOR. If an authenticated attacker can determine the session_id of another user's session, they can take it over, reading any messages in it and locking the legitimate user out. The PATCH /sessions/{session_id}/assign-user endpoint authenticates the caller but never verifies session ownership: the service layer invokes the session lookup with user_id=None, which the data access layer interprets as a privileged/system call that bypasses the ownership filter, allowing any authenticated user to reassign an arbitrary session to themselves. This issue has been patched in version 0.6.51.
AnalysisAI
Authenticated session hijacking in Significant Gravitas AutoGPT versions 0.6.36 through 0.6.50 allows any logged-in user to take over another user's session via an IDOR flaw in the PATCH /sessions/{session_id}/assign-user endpoint. An attacker who can guess or otherwise learn a target session_id can reassign that session to themselves, read its conversation contents, and lock the legitimate owner out. No public exploit identified at time of analysis, and the issue is fixed in 0.6.51 per the upstream GHSA-q58p-v9r9-7gqj advisory.
Technical ContextAI
AutoGPT is an open-source workflow automation platform for building and operating autonomous AI agents, with a backend that persists per-user agent 'sessions' containing conversation history and state. The vulnerability is a textbook CWE-862 Missing Authorization: the session reassignment endpoint authenticates the caller but the service layer calls into the data access layer with user_id=None, a sentinel that the DAL interprets as a privileged/system context and therefore skips the ownership filter on the session lookup. As a result, the standard 'tenant scoping' that normally constrains a user to their own session rows is silently bypassed for this code path, even though the rest of the request flow looks correctly authenticated. The CPE cpe:2.3:a:significant-gravitas:autogpt:*:*:*:*:*:*:*:* indicates the flaw is in the AutoGPT application layer itself rather than an underlying library.
RemediationAI
Upgrade to the vendor-released patched version AutoGPT 0.6.51 or later, which is the fix referenced in advisory https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-q58p-v9r9-7gqj and commit https://github.com/Significant-Gravitas/AutoGPT/commit/eca7b5e79370c34ed75e80badb824023d7d8629d. If immediate upgrade is not possible, restrict network access to the AutoGPT API so that only trusted authenticated users can reach the PATCH /sessions/{session_id}/assign-user endpoint (for example via reverse proxy ACL or WAF rule blocking that specific path), accepting that this disables legitimate session reassignment for blocked users; additionally, audit application logs for unexpected calls to the assign-user endpoint and rotate or invalidate active sessions for high-value accounts. As a code-level workaround for self-hosted forks, ensure the service layer passes the caller's user_id (not None) into the session lookup so the DAL enforces ownership.
DOM-based cross-site scripting in AutoGPT versions prior to 0.6.62 allows remote attackers to execute arbitrary JavaScri
Denial of service in Significant-Gravitas AutoGPT prior to 0.6.63 allows remote attackers to exhaust host disk space by
Denial of service in AutoGPT prior to 0.6.63 allows remote unauthenticated users to exhaust host disk space by chaining
Denial of service in AutoGPT versions prior to 0.6.63 allows remote unauthenticated attackers to exhaust disk space on t
Resource exhaustion denial-of-service in Significant Gravitas AutoGPT versions prior to 0.6.63 allows remote unauthentic
Server-side request forgery in the AutoGPT Platform (versions prior to 0.6.52) lets an authenticated user abuse the Send
Unauthenticated denial-of-service in AutoGPT Platform versions 0.4.2 through 0.6.51 allows remote attackers to exhaust s
Disk exhaustion denial-of-service in Significant Gravitas AutoGPT prior to version 0.6.63 allows authenticated platform
{webhook_id}/ping` endpoint performs no ownership check - only verifying that a caller is authenticated, not that the ta
Memory amplification denial-of-service in AutoGPT's ExtractTextInformationBlock enables authenticated users to exhaust s
Memory exhaustion in AutoGPT's AITextSummarizerBlock allows authenticated users to trigger extreme resource amplificatio
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30814