WebSocket API Flaw in AutoGPT by Significant Gravitas
CVE-2025-31494

3.5LOW

Key Information:

Vendor

Significant-gravitas

Status
Autogpt
Vendor
CVE Published:
15 April 2025

What is CVE-2025-31494?

The AutoGPT platform, which facilitates the creation and management of AI agents, is affected by a vulnerability related to its WebSocket API. This flaw allows users to subscribe to node execution updates using another user's graph_id and graph_version, potentially enabling unauthorized access to execution details across user sessions within the same instance. This risk is mitigated in single-user instances and in private setups where user access is controlled by the administrator. The issue was addressed in version 0.6.1.

Affected Version(s)

AutoGPT < 0.6.1

References

https://github.com/Significant-Gravitas/AutoGPT/security/...
x_refsource_CONFIRM
https://github.com/Significant-Gravitas/AutoGPT/pull/9660
x_refsource_MISC
https://github.com/Significant-Gravitas/AutoGPT/releases/...
x_refsource_MISC

CVSS V3.1

Score:
3.5
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.