CVE-2026-55237

HIGH 8.8

AutoGPT SignUp Page has DOM-Based XSS and Open Redirect

CVSS Score

8.8

EPSS Score

0.0%

EPSS Percentile

0th

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Versions prior to 0.6.62 have a DOM-based Cross-Site Scripting (XSS) vulnerability in AutoGPT's signup page. The application improperly trusts a URL parameter (`next`), which is passed to `router.push`. An attacker can craft a malicious link that, when opened by an authenticated user, performs a client-side redirect and executes arbitrary JavaScript in the context of their browser. This could lead to credential theft, internal network pivoting, and unauthorized actions performed on behalf of the victim. Version 0.6.62 patches the issue.

CWE	CWE-87 CWE-601
Vendor	significant-gravitas
Product	autogpt
Published	Jun 18, 2026
Last Updated	Jun 18, 2026

Stay Ahead of the Next One

Get instant alerts for significant-gravitas autogpt

Be the first to know when new high vulnerabilities affecting significant-gravitas autogpt are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

Low

Affected Versions

Significant-Gravitas / AutoGPT

< 0.6.62

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-j2cp-jg5q-38wj