Skip to main content

AutoGPT CVE-2026-55237

| EUVDEUVD-2026-37915 HIGH
Improper Neutralization of Alternate XSS Syntax (CWE-87)
2026-06-18 GitHub_M
8.8
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L
vuln.today AI
8.8 HIGH

Network-delivered link, low complexity, no attacker auth, requires victim click (UI:R); script runs in victim's authenticated origin so scope changes with high confidentiality and limited integrity/availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:L/SC:L/SI:L/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Patch available
Jun 18, 2026 - 19:01 EUVD
Analysis Generated
Jun 18, 2026 - 17:07 vuln.today

DescriptionCVE.org

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Versions prior to 0.6.62 have a DOM-based Cross-Site Scripting (XSS) vulnerability in AutoGPT's signup page. The application improperly trusts a URL parameter (next), which is passed to router.push. An attacker can craft a malicious link that, when opened by an authenticated user, performs a client-side redirect and executes arbitrary JavaScript in the context of their browser. This could lead to credential theft, internal network pivoting, and unauthorized actions performed on behalf of the victim. Version 0.6.62 patches the issue.

AnalysisAI

DOM-based cross-site scripting in AutoGPT versions prior to 0.6.62 allows remote attackers to execute arbitrary JavaScript in an authenticated victim's browser by tricking them into clicking a crafted signup-page link whose next URL parameter is passed unsanitized into router.push. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-j2cp-jg5q-38wj) confirms the issue and ships a fix in 0.6.62.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft signup URL with malicious `next` param
Delivery
Deliver link via phishing to AutoGPT user
Exploit
Victim clicks link while authenticated
Execution
router.push navigates to attacker payload
Persist
JavaScript executes in AutoGPT origin
Impact
Steal session token and invoke API as victim

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) a victim who is already authenticated to a vulnerable AutoGPT instance prior to version 0.6.62, (2) the victim to click an attacker-crafted link to the AutoGPT `/signup` page that carries a malicious `next` query parameter, and (3) network reachability from the victim's browser to the AutoGPT front-end. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L yields 8.8 largely because of the scope change (script running in the user's session can reach data outside the vulnerable component) and the network attack vector, but it materially depends on UI:R - the victim must click an attacker-supplied link while authenticated to AutoGPT. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a phishing message containing a link to the AutoGPT signup page with a malicious `next` parameter (for example a `javascript:` URI or an attacker-controlled URL that loads a payload). When an authenticated AutoGPT user opens the link in their browser, `router.push` honors the attacker-supplied value and the payload executes in the AutoGPT origin, allowing the attacker to exfiltrate session tokens, read workflow configurations, or invoke AutoGPT API actions as the victim.
Remediation Vendor-released patch: AutoGPT 0.6.62 - upgrade all front-end instances to 0.6.62 or later per the advisory at https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-j2cp-jg5q-38wj. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all AutoGPT deployments to identify current versions in use. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-32437 HIGH
8.7 Jun 18

Denial of service in Significant-Gravitas AutoGPT prior to 0.6.63 allows remote attackers to exhaust host disk space by

CVE-2025-32424 HIGH
8.7 Jun 18

Denial of service in AutoGPT prior to 0.6.63 allows remote unauthenticated users to exhaust host disk space by chaining

CVE-2025-32422 HIGH
8.7 Jun 18

Denial of service in AutoGPT versions prior to 0.6.63 allows remote unauthenticated attackers to exhaust disk space on t

CVE-2025-32392 HIGH
8.7 Jun 18

Resource exhaustion denial-of-service in Significant Gravitas AutoGPT versions prior to 0.6.63 allows remote unauthentic

CVE-2026-56663 HIGH
8.5 Jun 26

Server-side request forgery in the AutoGPT Platform (versions prior to 0.6.52) lets an authenticated user abuse the Send

CVE-2026-33232 HIGH
7.5 May 19

Unauthenticated denial-of-service in AutoGPT Platform versions 0.4.2 through 0.6.51 allows remote attackers to exhaust s

CVE-2026-30950 HIGH
7.1 May 18

Authenticated session hijacking in Significant Gravitas AutoGPT versions 0.6.36 through 0.6.50 allows any logged-in user

CVE-2025-32436 HIGH
7.1 Jun 18

Disk exhaustion denial-of-service in Significant Gravitas AutoGPT prior to version 0.6.63 allows authenticated platform

CVE-2026-56823 MEDIUM
5.4 Jun 26

{webhook_id}/ping` endpoint performs no ownership check - only verifying that a caller is authenticated, not that the ta

CVE-2025-32423 MEDIUM
5.3 Jun 26

Memory amplification denial-of-service in AutoGPT's ExtractTextInformationBlock enables authenticated users to exhaust s

CVE-2025-32394 MEDIUM
5.3 Jun 26

Memory exhaustion in AutoGPT's AITextSummarizerBlock allows authenticated users to trigger extreme resource amplificatio

Share

CVE-2026-55237 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy