Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L
Network-delivered link, low complexity, no attacker auth, requires victim click (UI:R); script runs in victim's authenticated origin so scope changes with high confidentiality and limited integrity/availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Versions prior to 0.6.62 have a DOM-based Cross-Site Scripting (XSS) vulnerability in AutoGPT's signup page. The application improperly trusts a URL parameter (next), which is passed to router.push. An attacker can craft a malicious link that, when opened by an authenticated user, performs a client-side redirect and executes arbitrary JavaScript in the context of their browser. This could lead to credential theft, internal network pivoting, and unauthorized actions performed on behalf of the victim. Version 0.6.62 patches the issue.
AnalysisAI
DOM-based cross-site scripting in AutoGPT versions prior to 0.6.62 allows remote attackers to execute arbitrary JavaScript in an authenticated victim's browser by tricking them into clicking a crafted signup-page link whose next URL parameter is passed unsanitized into router.push. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-j2cp-jg5q-38wj) confirms the issue and ships a fix in 0.6.62.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) a victim who is already authenticated to a vulnerable AutoGPT instance prior to version 0.6.62, (2) the victim to click an attacker-crafted link to the AutoGPT `/signup` page that carries a malicious `next` query parameter, and (3) network reachability from the victim's browser to the AutoGPT front-end. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L yields 8.8 largely because of the scope change (script running in the user's session can reach data outside the vulnerable component) and the network attack vector, but it materially depends on UI:R - the victim must click an attacker-supplied link while authenticated to AutoGPT. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sends a phishing message containing a link to the AutoGPT signup page with a malicious `next` parameter (for example a `javascript:` URI or an attacker-controlled URL that loads a payload). When an authenticated AutoGPT user opens the link in their browser, `router.push` honors the attacker-supplied value and the payload executes in the AutoGPT origin, allowing the attacker to exfiltrate session tokens, read workflow configurations, or invoke AutoGPT API actions as the victim. |
| Remediation | Vendor-released patch: AutoGPT 0.6.62 - upgrade all front-end instances to 0.6.62 or later per the advisory at https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-j2cp-jg5q-38wj. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all AutoGPT deployments to identify current versions in use. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Denial of service in Significant-Gravitas AutoGPT prior to 0.6.63 allows remote attackers to exhaust host disk space by
Denial of service in AutoGPT prior to 0.6.63 allows remote unauthenticated users to exhaust host disk space by chaining
Denial of service in AutoGPT versions prior to 0.6.63 allows remote unauthenticated attackers to exhaust disk space on t
Resource exhaustion denial-of-service in Significant Gravitas AutoGPT versions prior to 0.6.63 allows remote unauthentic
Server-side request forgery in the AutoGPT Platform (versions prior to 0.6.52) lets an authenticated user abuse the Send
Unauthenticated denial-of-service in AutoGPT Platform versions 0.4.2 through 0.6.51 allows remote attackers to exhaust s
Authenticated session hijacking in Significant Gravitas AutoGPT versions 0.6.36 through 0.6.50 allows any logged-in user
Disk exhaustion denial-of-service in Significant Gravitas AutoGPT prior to version 0.6.63 allows authenticated platform
{webhook_id}/ping` endpoint performs no ownership check - only verifying that a caller is authenticated, not that the ta
Memory amplification denial-of-service in AutoGPT's ExtractTextInformationBlock enables authenticated users to exhaust s
Memory exhaustion in AutoGPT's AITextSummarizerBlock allows authenticated users to trigger extreme resource amplificatio
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37915