CVE-2025-53944

Published: Jul 30, 2025Modified: Aug 5, 2025

7.7

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Exploitability: 3.1 / Impact: 4.0

Source: NVD

Description

AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents. In v0.6.15 and below, the external API's get_graph_execution_results endpoint has an authorization bypass vulnerability. While it correctly validates user access to the graph_id, it fails to verify ownership of the graph_exec_id parameter, allowing authenticated users to access any execution results by providing arbitrary execution IDs. The internal API implements proper validation for both parameters. This is fixed in v0.6.16.

Affected (1)

Products: Agpt: Autogpt Platform

1 product

Autogpt Platform

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Agpt Autogpt Platform	Version 0.6.13 beta

Related CWEs

Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (4)

https://github.com/Significant-Gravitas/AutoGPT/commit/309114a727baa2063357810d444e9a119f8dd7f6

Source: security-advisories@github.com

Patch

https://github.com/Significant-Gravitas/AutoGPT/releases/tag/autogpt-platform-beta-v0.6.16

Source: security-advisories@github.com

Release Notes

https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-x77j-qg2x-fgg6

Source: security-advisories@github.com

ExploitVendor Advisory

https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-x77j-qg2x-fgg6

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitVendor Advisory

Timeline

No history available yet.