CVE-2026-30950— AutoGPT 安全漏洞

AutoGPT has Authenticated Session Hijacking via IDOR

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Versions 0.6.36 through 0.6.50 are vulnerable to Authenticated Session Hijacking via IDOR. If an authenticated attacker can determine the session_id of another user's session, they can take it over, reading any messages in it and locking the legitimate user out. The PATCH /sessions/{session_id}/assign-user endpoint authenticates the caller but never verifies session ownership: the service layer invokes the session lookup with user_id=None, which the data access layer interprets as a privileged/system call that bypasses the ownership filter, allowing any authenticated user to reassign an arbitrary session to themselves. This issue has been patched in version 0.6.51.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

授权机制缺失

AutoGPT 安全漏洞

AutoGPT是AutoGPT开源的一个工具。用于让每个人都能使用和构建可访问的AI。 AutoGPT 0.6.36版本至0.6.50版本存在安全漏洞，该漏洞源于PATCH /sessions/{session_id}/assign-user端点未验证会话所有权，可能导致经过身份验证的会话劫持。

N/A

N/A