AutoGPT Authorization Bypass Vulnerability in Graph Execution API Endpoint

An authorization bypass vulnerability has been identified in AutoGPT versions through 0.6.15. The issue resides in the external API's 'get_graph_execution_results' endpoint, which allows authenticated users to access execution results from other users' graph executions. While the endpoint correctly validates access to the 'graph_id', it fails to verify ownership of the 'graph_exec_id' parameter. This oversight enables users to access sensitive execution data, including input parameters, output results, and proprietary workflow details, from any user's graph executions, provided they can obtain the execution ID.

Impact

Exploitation of this vulnerability allows for cross-tenant data access in a multi-tenant SaaS environment, exposing API keys and credentials stored in execution inputs.

Reproduction

To reproduce this vulnerability, an authenticated user must send a request to the 'get_graph_execution_results' endpoint, including a valid 'graph_id' and a 'graph_exec_id' that does not belong to them. The request will bypass authorization checks and return execution data from the specified 'graph_exec_id', including sensitive input and output information.

Remediation

Users can update to AutoGPT version 0.6.16 or later, where this vulnerability has been patched.