DOM-based Cross-Site Scripting in AutoGPT by Significant Gravitas
CVE-2026-55237

8.8HIGH

Key Information:

Vendor

Significant-gravitas

Status
Autogpt
Vendor
CVE Published:
18 June 2026

What is CVE-2026-55237?

AutoGPT, a renowned workflow automation platform, is susceptible to a DOM-based Cross-Site Scripting (XSS) issue that affects versions prior to 0.6.62. The flaw occurs on the signup page due to the application’s failure to validate a URL parameter (next) properly, leading to a possible client-side redirect. An attacker can exploit this vulnerability by sending a crafted link to authenticated users, potentially executing arbitrary JavaScript within their browsers. This exploitation can result in serious consequences, including credential theft, unauthorized internal network access, and actions taken on behalf of the victim. Users are urged to upgrade to version 0.6.62 to mitigate this security risk.

Affected Version(s)

AutoGPT < 0.6.62

References

https://github.com/Significant-Gravitas/AutoGPT/security/...
x_refsource_CONFIRM

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.