CVE-2026-30950 Overview
CVE-2026-30950 is an authenticated Insecure Direct Object Reference (IDOR) vulnerability in AutoGPT, a workflow automation platform for building and managing continuous AI agents. The flaw affects versions 0.6.36 through 0.6.50 and allows any authenticated user to hijack another user's chat session by submitting a known session_id to the PATCH /sessions/{session_id}/assign-user endpoint. An attacker who reassigns a victim's session can read its messages and lock the legitimate owner out. The issue is fixed in version 0.6.51.
Critical Impact
Authenticated attackers can take over arbitrary chat sessions, accessing private message history and denying access to legitimate users [CWE-862: Missing Authorization].
Affected Products
- AutoGPT versions 0.6.36 through 0.6.50
- AutoGPT Platform backend (autogpt_platform/backend) chat and copilot services
- AutoGPT deployments exposing the PATCH /sessions/{session_id}/assign-user endpoint
Discovery Timeline
- 2026-05-18 - CVE-2026-30950 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-30950
Vulnerability Analysis
The vulnerability resides in the chat session assignment route exposed by the AutoGPT backend. The PATCH /sessions/{session_id}/assign-user endpoint authenticates the calling user through Security(auth.requires_user) but does not verify that the caller owns the targeted session. The service layer in copilot/service.py invokes the session lookup with user_id=None, which the data access layer treats as a privileged system call and bypasses its ownership filter. Any authenticated user can therefore reassign an arbitrary session, identified only by its session_id, to their own account. Once reassigned, the attacker reads existing message history in that session and the original owner loses access.
Root Cause
The root cause is missing authorization at the service boundary. The data access function distinguishes between user requests and system requests by checking whether user_id is None. Passing None from an authenticated user-facing route silently elevates the call to a system context, bypassing tenant isolation. This is a classic IDOR pattern combined with privilege confusion between application and system contexts [CWE-862].
Attack Vector
Exploitation requires only a valid authenticated account and knowledge or enumeration of a target session_id. The attacker sends a single PATCH request to the assign-user endpoint with the victim's session_id. No additional user interaction is required, and the attack is delivered over the network against any reachable AutoGPT instance.
# Patch excerpt from autogpt_platform/backend/backend/api/features/chat/routes.py
@router.patch(
"/sessions/{session_id}/assign-user",
dependencies=[Security(auth.requires_user)],
- status_code=200,
)
async def session_assign_user(
session_id: str,
# Patch excerpt from autogpt_platform/backend/backend/copilot/service.py
from backend.data.db_accessors import understanding_db
from backend.data.understanding import format_understanding_for_prompt
-from backend.util.exceptions import NotFoundError
+from backend.util.exceptions import NotAuthorizedError, NotFoundError
from backend.util.settings import AppEnvironment, Settings
from .config import ChatConfig
Source: GitHub Commit eca7b5e. The patch introduces NotAuthorizedError handling in the copilot service so the assign-user flow now rejects requests where the caller does not own the target session.
Detection Methods for CVE-2026-30950
Indicators of Compromise
- Unexpected PATCH /sessions/{session_id}/assign-user requests in AutoGPT backend access logs, especially from accounts that did not previously interact with the referenced session.
- Chat sessions whose owning user_id changes without a corresponding administrative action.
- Legitimate users reporting loss of access to previously visible sessions or missing conversation history.
Detection Strategies
- Audit application logs for any 200-response PATCH calls to the assign-user endpoint and correlate the authenticated caller against prior session ownership records.
- Query the chat session database for rows where user_id was updated outside of expected administrative workflows.
- Add a server-side hook that emits an event whenever session.user_id changes, including caller identity and source IP for downstream analysis.
Monitoring Recommendations
- Forward AutoGPT backend access and application logs to a centralized logging or SIEM platform and alert on bursts of assign-user calls from a single principal.
- Track per-account rates of session ownership changes and flag accounts that reassign multiple distinct sessions in a short window.
- Monitor authentication telemetry for accounts performing session enumeration patterns against the chat API.
How to Mitigate CVE-2026-30950
Immediate Actions Required
- Upgrade AutoGPT to version 0.6.51 or later, which enforces ownership checks on the assign-user endpoint.
- Review chat session ownership records for unauthorized user_id reassignments since deploying any version between 0.6.36 and 0.6.50.
- Rotate or invalidate active chat sessions if tampering is suspected and notify affected users.
Patch Information
The issue is fixed in AutoGPT 0.6.51. The fix is committed in GitHub Commit eca7b5e and documented in the GitHub Security Advisory GHSA-q58p-v9r9-7gqj. The patch adds NotAuthorizedError handling so that the service layer rejects assign-user requests when the caller does not own the targeted session.
Workarounds
- Restrict network access to the AutoGPT backend so only trusted users can reach the chat API while the upgrade is scheduled.
- Disable or block the PATCH /sessions/{session_id}/assign-user route at a reverse proxy if it is not required by your deployment.
- Require administrator review for any session reassignment events until the patched version is deployed.
# Verify the deployed AutoGPT version and upgrade to the fixed release
pip show agpt | grep -i version
pip install --upgrade "agpt>=0.6.51"
# Example reverse-proxy block (nginx) for the vulnerable endpoint pre-upgrade
# location ~ ^/sessions/[^/]+/assign-user$ {
# return 403;
# }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
