Account Takeover Flaw in AI Agent Tool AutoGPT: CVE-2026-55237, Update to 0.6.62
A vulnerability in AutoGPT, the well-known tool for building AI agents, can let an attacker hijack a user's account just by getting them to click a crafted link. Published June 18, 2026 as CVE-2026-55237 with a severity of 8.8 out of 10, it affects self-hosted installs. Updating to the latest version, 0.6.62, closes the hole.
Makoto Horikawa
Backend Engineer / AWS / Django
A vulnerability in AutoGPT, the well-known tool for building AI agents, can let an attacker hijack a user's account just by getting them to click a crafted link. Published June 18, 2026 as CVE-2026-55237 with a severity of 8.8 out of 10, it affects self-hosted installs. Updating to the latest version, 0.6.62, closes the hole.
A vulnerability has been found in AutoGPT, the popular tool for building and running AIs that act on their own, that could let an attacker hijack a user's account simply by getting them to click a crafted link. Published on June 18, 2026 as CVE-2026-55237, it is rated 8.8 out of 10 (High).
Affected are versions before 0.6.62 when AutoGPT is installed on your own server. It was disclosed in the vendor's security advisory and fixed in the latest version, 0.6.62.
What AutoGPT Is, and Why So Many People Use It
AutoGPT is a tool for building and running "autonomous AI (AI agents)" that think for themselves and carry out tasks once given instructions. It appeared in 2023 and became a worldwide talking point, becoming one of the most-starred projects on GitHub, where programs are published. Today it continues to be developed as a "platform" for creating, deploying, and operating AI agents.
The platform offers a self-hosted form, installed on your own server. Once set up, a web screen for logging in and signing up appears. This vulnerability was in that signup page. Unrelated to how clever the AI agent itself is, there was a hole in how the entry web screen was built.
Cases where "the tool that runs AI agents itself turns out to have a vulnerability" have come one after another recently. On this site, we have covered the AI tool Langflow being attacked within 20 hours of disclosure and a takeover hole in LiteLLM, which orchestrates AIs. The more convenient AI tools there are, the more their "entrances" become targets.
Who Sends You This Link, and What Do They Take
CVE-2026-55237 is the kind of vulnerability where the damage begins from "a single click." You didn't open a suspicious file, you didn't hand over your password—and yet a program prepared by the attacker starts running behind the screen. That is exactly why it is worth picturing in advance who, with what face, hands you that link.
The people who send it are, for instance, someone who pastes a helpful-looking URL into chat saying "here's a handy AutoGPT config to share," someone who poses as IT support on internal Slack or email urging "open this to confirm your account," or someone pretending to be a partner you're building an agent automation flow with. What they target is, stored behind that screen, the authentication tokens that keep you logged in, the API keys for OpenAI and others connected to the AI, the connection details for the internal systems wired into the agent, and the admin screen you can operate as yourself. The moment a crafted link is opened, the privileges of "you" inside the browser are hijacked straight into the attacker's hands.
Technically, the attacker uses prior reconnaissance to guess the target uses AutoGPT, then prepares a crafted link to the signup page. If the victim is already logged in, the attack succeeds the instant the link is opened. Even if not yet logged in, the same trap fires right after they finish registering. Once it runs inside the browser, the attacker can not only perform various actions as the logged-in user, but also use that browser as a foothold to reach into other internal systems normally untouchable from outside.
The number "severity 8.8" is no more than a scale for technical seriousness. For someone who has woven AutoGPT into their work, what is truly lost is the bundle of keys to every service the AI was holding, and all of the internal information that AI agent could reach. That a single click can reach that far is the danger of this vulnerability.
What Actually Happens with CVE-2026-55237
The true nature of the flaw is "DOM-based cross-site scripting (XSS)" plus an "open redirect." XSS is an attack that slips an attacker's program (a script) into a web page and runs it on the user's browser. An open redirect refers to a flaw that lets you send a user to an arbitrary destination different from the intended one.
The cause is that the signup page passed the URL parameter "next" it received straight into the page-navigation step (router.push) without checking its contents. It is meant to specify "where to go after login," but the check for whether a program beginning with javascript: could be embedded there was missing. The vendor advisory gives a crafted URL like /signup?next=javascript:... as an attack example.
When this flaw is exploited, the attacker's program runs with the user's browser privileges and can call various APIs (the windows through which programs cooperate) as the logged-in user. The result, as described, can lead to theft of credentials, actions taken while impersonating the user, and even intrusion into the internal network using that browser as a stepping stone. The severity rating (CVSS 8.8) also accounts for the fact that the damage can spread beyond the scope of the first app (a "scope change").
There is one condition. For the attack to succeed, the user must actually click the crafted link (the rating notes "user interaction required," i.e. UI:R). It is not something that hijacks you out of nowhere while you do nothing. The reporter is the security researcher TrebledJ; no actual attacks have been confirmed at this time, but given how easily it works from a single link, prompt action is advisable.
Are You Affected?
Whether you are affected depends on "how you use AutoGPT." Check the table below.
| How you use it | Risk | What to do |
|---|---|---|
| Self-hosted, used by multiple people | High (more room for users to click trap links) | Update to 0.6.62 as top priority |
| Self-hosted, used by one person | Medium (Low if you don't click suspicious links) | Update to 0.6.62 soon |
| Old version exposed inside the company | High (can be a foothold for internal intrusion) | Update now / temporarily restrict access |
| Not using AutoGPT | None | No action needed |
| Item | Detail |
|---|---|
| Affected versions | Before 0.6.62 |
| Fixed version | 0.6.62 |
| Vulnerability type | DOM-based XSS + open redirect |
| Severity | CVSS 8.8 (High) |
| Condition | Requires clicking a crafted link |
How Should You Respond?
The fix is simple: update AutoGPT to 0.6.62 or later. The fixed version adds validation of the values the signup page receives, so dangerous values such as those beginning with javascript: are now rejected. Update steps can be found in the official repository and the security advisory GHSA-j2cp-jg5q-38wj.
As a stopgap when you cannot update right away, consider not carelessly clicking links related to AutoGPT's login or signup pages, and—if you expose it internally—temporarily restricting where access can come from. The real fix, however, is to update. If you cannot fully grasp which AI tools and versions your organization uses, a mechanism like an OSS vulnerability scanner that surfaces dangerous versions from a list of the components in use helps prevent oversights.
Why Do AI Tools Keep Getting Vulnerabilities?
Tools for running AI agents have exploded in number over the past year or two. Many are developed at a sprint by small teams or communities, and "the basic defenses any ordinary web app should have," such as login screens and APIs, tend to be put off in favor of the AI itself. That a classic XSS remained in the entry signup page, as with AutoGPT this time, is a typical example.
Meanwhile, attackers too are using AI to accelerate their search for weaknesses. On this site, we covered the structure in which AI accelerates attacks while AI also increases the holes. When bringing convenient AI tools into your work, it matters more than ever to choose not only by the AI's performance but also by "whether the entry web screen is properly defended" and "whether updates come out frequently."
✓ Confirmed facts
- ✓CVE-2026-55237 was published on June 18, 2026 (NVD)
- ✓DOM-based XSS + open redirect in AutoGPT's signup page; severity 8.8 (High)
- ✓Affects versions before 0.6.62; fixed in 0.6.62. Reported by TrebledJ
- ✓Success requires clicking a crafted link (UI:R)
? Unconfirmed at this time
- ?Reports of actual attacks or exploitation — none confirmed at publication
- ?The extent of impact on the cloud-hosted version — the self-hosted version is the one called out as affected
Frequently Asked Questions
Q. Am I at risk even if I don't use AutoGPT?
A. No. This vulnerability is an issue when you install and run AutoGPT on your own server. If you don't use it, no action is needed.
Q. Am I safe as long as I'm not logged in?
A. Don't let your guard down. Even if you open a trap link while logged out, the attack is said to fire right after you finish signing up. It is safest not to open AutoGPT-related links of unknown origin.
Q. Does updating really fix it?
A. Yes. Version 0.6.62 adds validation that rejects dangerous values, closing this path. Updating to the latest version is the reliable response.
Summary
CVE-2026-55237 is a vulnerability found in the signup page of AutoGPT, the well-known AI-agent building tool, that can lead to account takeover from clicking a crafted link. Rated 8.8 (High), it affects versions before 0.6.62. If you install and run it on your own server, you can address it by updating to the latest version, 0.6.62.
As tools for running AI agents surge, cases where the defenses of their "entry" web screens fail to keep up keep appearing. Attention tends to go to how clever the AI is, but basic parts like the login screen are exactly where attackers aim. The more you adopt convenient tools, the more keeping up with updates leads to safety.