CVE-2026-55237 Significant-Gravitas CVE debrief

Who should care

Security teams and administrators responsible for AutoGPT deployments should be aware of this vulnerability. Additionally, users who interact with AutoGPT's signup page, especially those with administrative privileges, are at risk of exploitation.

Technical summary

The vulnerability exists in AutoGPT's signup page, where the application improperly trusts a URL parameter ('next'), which is passed to 'router.push'. An attacker can craft a malicious link that, when opened by an authenticated user, performs a client-side redirect and executes arbitrary JavaScript in the context of their browser. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L.

Defensive priority

High

Recommended defensive actions

• Update AutoGPT to version 0.6.62 or later
• Implement additional security measures to monitor and restrict user interactions with the signup page
• Educate users on the risks of clicking on suspicious links
• Consider implementing a Web Application Firewall (WAF) to detect and prevent XSS attacks
• Regularly review and update AutoGPT deployments to ensure the latest security patches are applied

Evidence notes

The vulnerability is confirmed by the CVE record and NVD detail. The source item URL provides additional information on the vulnerability. The security advisory from GitHub (GHSA-j2cp-jg5q-38wj) also provides details on the vulnerability and the patch.

Official resources