CVE-2026-30950
Deferred Deferred - Pending Action
Authenticated Session Hijacking in AutoGPT via IDOR

Publication date: 2026-05-18

Last updated on: 2026-05-19

Assigner: GitHub, Inc.

Description
AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Versions 0.6.36 through 0.6.50 are vulnerable to Authenticated Session Hijacking via IDOR. If an authenticated attacker can determine the session_id of another user's session, they can take it over, reading any messages in it and locking the legitimate user out. The PATCH /sessions/{session_id}/assign-user endpoint authenticates the caller but never verifies session ownership: the service layer invokes the session lookup with user_id=None, which the data access layer interprets as a privileged/system call that bypasses the ownership filter, allowing any authenticated user to reassign an arbitrary session to themselves. This issue has been patched in version 0.6.51.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-18
Last Modified
2026-05-19
Generated
2026-06-10
AI Q&A
2026-05-19
EPSS Evaluated
2026-06-08
NVD
CVE-2026-30950
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
autogpt autogpt From 0.6.36 (inc) to 0.6.50 (inc)
autogpt autogpt 0.6.51
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects AutoGPT versions 0.6.36 through 0.6.50 and is an Authenticated Session Hijacking issue caused by an Insecure Direct Object Reference (IDOR). An authenticated attacker who can determine another user's session_id can take over that session. This allows the attacker to read any messages in the session and lock the legitimate user out.

The root cause is that the PATCH /sessions/{session_id}/assign-user endpoint authenticates the caller but does not verify if the caller owns the session. The service layer calls the session lookup with user_id=None, which the data access layer treats as a privileged call, bypassing ownership checks. This lets any authenticated user reassign any session to themselves.

This vulnerability was fixed in AutoGPT version 0.6.51.

Impact Analysis

If exploited, this vulnerability allows an attacker to hijack another user's session in AutoGPT. The attacker can read all messages within that session and lock the legitimate user out, potentially disrupting workflows and exposing sensitive information.

The impact includes unauthorized access to user data and denial of service to the legitimate user by taking over their session.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade AutoGPT to version 0.6.51 or later, where the issue has been patched.

Until the upgrade is applied, restrict access to the PATCH /sessions/{session_id}/assign-user endpoint to trusted users only, and monitor authenticated sessions for suspicious reassignment activity.

Compliance Impact

The vulnerability allows an authenticated attacker to hijack another user's session, potentially accessing sensitive information contained in that session and locking the legitimate user out. This unauthorized access to user sessions could lead to exposure of personal or sensitive data.

Such unauthorized access and potential data exposure may impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information and mandate controls to prevent unauthorized access.

However, the provided information does not explicitly discuss compliance implications or specific regulatory impacts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30950. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart