WebSocket API Flaw in AutoGPT by Significant Gravitas
CVE-2025-31494
3.5LOW
Key Information:
- Vendor
- Significant-gravitas
- Status
- Autogpt
- Vendor
- CVE Published:
- 15 April 2025
Summary
The AutoGPT platform, which facilitates the creation and management of AI agents, is affected by a vulnerability related to its WebSocket API. This flaw allows users to subscribe to node execution updates using another user's graph_id and graph_version, potentially enabling unauthorized access to execution details across user sessions within the same instance. This risk is mitigated in single-user instances and in private setups where user access is controlled by the administrator. The issue was addressed in version 0.6.1.
Affected Version(s)
AutoGPT < 0.6.1
References
CVSS V3.1
Score:
3.5
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved