CVE-2026-30950
Description
AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Versions 0.6.36 through 0.6.50 are vulnerable to Authenticated Session Hijacking via IDOR. If an authenticated attacker can determine the session_id of another user's session, they can take it over, reading any messages in it and locking the legitimate user out. The PATCH /sessions/{session_id}/assign-user endpoint authenticates the caller but never verifies session ownership: the service layer invokes the session lookup with user_id=None, which the data access layer interprets as a privileged/system call that bypasses the ownership filter, allowing any authenticated user to reassign an arbitrary session to themselves. This issue has been patched in version 0.6.51.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
AutoGPT 0.6.36–0.6.50 allows any authenticated user to hijack another user's chat session via an IDOR in the PATCH /sessions/{session_id}/assign-user endpoint.
Vulnerability
Overview
CVE-2026-30950 is an authenticated session hijacking vulnerability affecting AutoGPT versions 0.6.36 through 0.6.50. The root cause lies in the PATCH /sessions/{session_id}/assign-user endpoint, which authenticates the caller via JWT but never verifies that the caller owns the target session. The underlying service function assign_user_to_session() calls get_chat_session(session_id, None), where passing user_id=None is interpreted by the data access layer as a privileged system call that bypasses the ownership filter, allowing any authenticated user to reassign an arbitrary session to themselves [1].
Exploitation
An attacker who can determine a victim's session_id (a UUID that may be leaked via logs, URLs, or enumeration) can send a PATCH request to /sessions/{session_id}/assign-user with their own user_id. The endpoint requires a valid JWT but performs no ownership check, so the session is reassigned to the attacker. The victim is then locked out of their own session because the Redis cache is poisoned with the new owner [1]. The fix, implemented in commit eca7b5e79370c34ed75e80badb824023d7d8629d, adds an ownership check that raises a NotAuthorizedError if the session already belongs to a different user [2].
Impact
Successful exploitation allows an authenticated attacker to hijack any other user's chat session, gaining access to all messages within that session. The legitimate user is locked out, and the attacker can continue the conversation under the victim's identity. The vulnerability is rated High with a CVSS v3 score of 7.1, reflecting the low complexity and network-based attack vector, though it requires authentication and knowledge of a valid session ID [1].
Mitigation
The issue has been patched in AutoGPT version 0.6.51. Users are strongly advised to upgrade immediately. No workarounds are available for affected versions [1][2].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: >=0.6.36,<=0.6.50
Patches
1eca7b5e79370Merge commit from fork
2 files changed · +7 −2
autogpt_platform/backend/backend/api/features/chat/routes.py+0 −1 modified@@ -805,7 +805,6 @@ async def event_generator() -> AsyncGenerator[str, None]: @router.patch( "/sessions/{session_id}/assign-user", dependencies=[Security(auth.requires_user)], - status_code=200, ) async def session_assign_user( session_id: str,
autogpt_platform/backend/backend/copilot/service.py+7 −1 modified@@ -18,7 +18,7 @@ from backend.data.db_accessors import understanding_db from backend.data.understanding import format_understanding_for_prompt -from backend.util.exceptions import NotFoundError +from backend.util.exceptions import NotAuthorizedError, NotFoundError from backend.util.settings import AppEnvironment, Settings from .config import ChatConfig @@ -198,6 +198,12 @@ async def assign_user_to_session( session = await get_chat_session(session_id, None) if not session: raise NotFoundError(f"Session {session_id} not found") + if session.user_id is not None and session.user_id != user_id: + logger.warning( + f"[SECURITY] Attempt to claim session {session_id} by user {user_id}, " + f"but it already belongs to user {session.user_id}" + ) + raise NotAuthorizedError(f"Not authorized to claim session {session_id}") session.user_id = user_id session = await upsert_chat_session(session) return session
Vulnerability mechanics
Root cause
"Missing authorization check in the session assignment endpoint allows any authenticated user to reassign another user's session to themselves."
Attack vector
An authenticated attacker who can determine another user's session_id (e.g., through IDOR enumeration, log inspection, or shared context) sends a PATCH request to `/sessions/{session_id}/assign-user` with the target session_id and their own user_id. The endpoint authenticates the caller via `auth.requires_user` but never verifies that the caller owns the session [CWE-862]. The service layer calls `get_chat_session(session_id, None)` with `user_id=None`, which the data access layer treats as a privileged/system call that bypasses the ownership filter, returning the session regardless of ownership. The attacker's user_id is then written into the session, hijacking it and locking out the legitimate user.
Affected code
The vulnerability exists in `backend/backend/copilot/service.py` in the `assign_user_to_session()` function, which calls `get_chat_session(session_id, None)` with `user_id=None`, bypassing ownership filtering. The endpoint is defined in `backend/backend/api/features/chat/routes.py` at the `PATCH /sessions/{session_id}/assign-user` route. The patch modifies `service.py` to add an ownership check before reassignment.
What the fix does
The patch adds an ownership check in `assign_user_to_session()` inside `service.py` [patch_id=424396]. Before allowing the reassignment, the code now verifies that `session.user_id` is either `None` (unclaimed session) or matches the requesting `user_id`. If the session already belongs to a different user, it logs a security warning and raises `NotAuthorizedError`, preventing the hijack. The patch also removes the hardcoded `status_code=200` from the route definition, though the critical fix is the authorization guard. This ensures that even though the data access layer bypasses ownership filtering when called with `user_id=None`, the service layer now enforces ownership before proceeding.
Preconditions
- authAttacker must be an authenticated user of the AutoGPT platform.
- inputAttacker must know or be able to guess the target session_id (UUID).
Generated on May 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.