PatchSiren cyber security CVE debrief

CVE-2026-30950 Significant-Gravitas CVE debrief

## Summary CVE-2026-30950 is a HIGH-severity (CVSS 7.1) authenticated session-hijacking vulnerability in AutoGPT, a workflow-automation platform for AI agents. Versions 0.6.36–0.6.50 are affected. An authenticated attacker who knows (or guesses) another user's session_id can reassign that session to themselves via the PATCH /sessions/{session_id}/assign-user endpoint. The flaw stems from an insecure direct object reference (IDOR): the service layer invokes the session lookup with user_id=None, which the data layer treats as a privileged/system call and therefore skips the ownership check. Consequences include unauthorized read access to session messages and denial of service for the legitimate user (session lock-out). ## Affected Products | Product | Versions | |---------|----------| | AutoGPT | 0.6.36 – 0.6.50 | ## Root Cause The PATCH /sessions/{session_id}/assign-user endpoint authenticates the caller but never verifies that the caller owns the target session. When the service layer queries the session, it passes user_id=None; the data-access layer interprets this as a system-level request and bypasses the ownership filter, allowing any authenticated user to reassign arbitrary sessions. ## Impact - **Confidentiality**: Attacker can read all messages in the hijacked session. - **Availability**: Legitimate user is locked out of their session. - **Scope**: Limited to session data; no indication of code execution or lateral movement. ## Exploitation Requirements - Valid user account on the target AutoGPT instance. - Ability to determine or guess a victim's session_id (e.g., via information disclosure, brute-force, or social engineering). ## Detection Guidance Monitor API logs for: - PATCH requests to /sessions/{session_id}/assign-user where the authenticated user_id differs from the session's original owner. - Rapid successive session assignment operations from a single source account. - Anomalous session access patterns (e.g., a user suddenly accessing sessions with unrelated content or historical messages predating their account creation). ## Mitigation 1. **Upgrade** to AutoGPT 0.6.51 or later, which patches the vulnerability. 2. **Validate** that

Vendor: Significant-Gravitas
Product: AutoGPT
CVSS: HIGH 7.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-18
Original CVE updated: 2026-05-19
Advisory published: 2026-05-18
Advisory updated: 2026-05-19

Who should care

Organizations running AutoGPT versions 0.6.36–0.6.50 in production environments, particularly those hosting multi-tenant instances or processing sensitive data through AI agent workflows.

Technical summary

The vulnerability exists in the PATCH /sessions/{session_id}/assign-user endpoint. When processing a session reassignment request, the service layer queries the session with user_id=None, causing the data access layer to bypass ownership verification. This allows any authenticated user to reassign arbitrary sessions to themselves, resulting in unauthorized access to session content and denial of service for legitimate users. The issue is classified as CWE-862 (Missing Authorization).

Defensive priority

HIGH

Recommended defensive actions

Upgrade AutoGPT to version 0.6.51 or later to remediate the authenticated session hijacking vulnerability.
Review access logs for PATCH /sessions/{session_id}/assign-user requests to identify potential exploitation attempts.
Implement additional logging and alerting on session ownership changes to detect anomalous reassignment activity.
Audit active sessions for unauthorized ownership changes if exploitation is suspected.

Evidence notes

Root cause and impact details drawn from CVE description and GitHub Security Advisory GHSA-q58p-v9r9-7gqj. Patch commit eca7b5e79370c34ed75e80badb824023d7d8629d confirms remediation in version 0.6.51.

Official resources

2026-05-18