CVE-2026-30950 - Vulnerability Details

Description

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Versions 0.6.36 through 0.6.50 are vulnerable to Authenticated Session Hijacking via IDOR. If an authenticated attacker can determine the session_id of another user's session, they can take it over, reading any messages in it and locking the legitimate user out. The PATCH /sessions/{session_id}/assign-user endpoint authenticates the caller but never verifies session ownership: the service layer invokes the session lookup with user_id=None, which the data access layer interprets as a privileged/system call that bypasses the ownership filter, allowing any authenticated user to reassign an arbitrary session to themselves. This issue has been patched in version 0.6.51.

Published: 2026-05-18

Score: 7.1 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the session assignment endpoint allows an authenticated attacker who discovers another user's session ID to take control of that session, read any exchanged messages, and prevent the legitimate user from re‑joining. The issue comes from the service layer invoking a privileged session lookup without verifying that the caller owns the session, which is a classic IDOR weakness (CWE‑862). The compromise enables confidentiality violations and denial of service for affected users.

Affected Systems

Versions 0.6.36 through 0.6.50 of Significant Gravitas AutoGPT are affected. The vulnerability was remedied in version 0.6.51 and later.

Risk and Exploitability

The CVSS score of 7.1 indicates a substantial medium‑to‑high risk. EPSS is not available and the issue is not listed in the CISA KEV catalog. An attacker must already be authenticated and must discover a valid session ID; no additional privileges or public exploitation are required. Once a session is hijacked, the attacker can read private messages and deny service to the legitimate owner, potentially leading to data leakage and user disruptions.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Significant-Gravitas

AutoGPT

affected

Version	Status	Constraints
`>= 0.6.36, < 0.6.51`	affected	—

No data.

Vendor Product Confidence Versions

Significant-gravitas

Autogpt

100%

Version	Status	Scheme	Platform
`[0.6.36,0.6.51)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade AutoGPT to version 0.6.51 or later.
If an upgrade is not immediately possible, restrict or remove external access to the /sessions/{session_id}/assign-user endpoint to prevent authenticated users from reassigning sessions.
Enable detailed logging of session assignments and monitor for anomalous activity, such as repeated reassignment attempts, to detect and respond to potential exploitation.

Generated by OpenCVE AI on May 18, 2026 at 23:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/Significant-Gravitas/AutoGPT/commit/eca7b5e79370c34ed75e80badb824023d7d8629d
https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-q58p-v9r9-7gqj

History

Mon, 18 May 2026 23:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Significant-gravitas Significant-gravitas autogpt
Vendors & Products		Significant-gravitas Significant-gravitas autogpt

Mon, 18 May 2026 22:45:00 +0000

Type	Values Removed	Values Added
Description		AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Versions 0.6.36 through 0.6.50 are vulnerable to Authenticated Session Hijacking via IDOR. If an authenticated attacker can determine the session_id of another user's session, they can take it over, reading any messages in it and locking the legitimate user out. The PATCH /sessions/{session_id}/assign-user endpoint authenticates the caller but never verifies session ownership: the service layer invokes the session lookup with user_id=None, which the data access layer interprets as a privileged/system call that bypasses the ownership filter, allowing any authenticated user to reassign an arbitrary session to themselves. This issue has been patched in version 0.6.51.
Title		AutoGPT has Authenticated Session Hijacking via IDOR
Weaknesses		CWE-862
References		https://github.com/Significant-Gravitas/AutoGPT/commit/eca7b5e79370c34ed75e80badb824023d7d8629d https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-q58p-v9r9-7gqj
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L'}`

Subscriptions

Significant-gravitas Autogpt

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-18T22:28:10.683Z

Updated: 2026-05-18T22:28:10.683Z

Reserved: 2026-03-07T17:34:39.980Z

Link: CVE-2026-30950

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-18T23:16:33.190

Modified: 2026-05-18T23:16:33.190

Link: CVE-2026-30950

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-18T23:30:25Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact Low

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object