CVE-2025-53944 is a high-severity authorization bypass vulnerability affecting Significant-Gravitas AutoGPT versions prior to 0.6.16. AutoGPT is a platform designed for creating, deploying, and managing continuous AI agents, which rely on graph-based execution workflows. The vulnerability exists in the external API endpoint get_graph_execution_results, which is intended to return execution results for a given graph. While the API correctly validates user access to the graph_id parameter, it fails to verify ownership or authorization for the graph_exec_id parameter. This flaw allows any authenticated user to supply arbitrary execution IDs and retrieve execution results belonging to other users, bypassing intended access controls. The internal API correctly enforces validation on both parameters, but the external API's improper authorization check constitutes a CWE-285 (Improper Authorization) weakness. The vulnerability does not require user interaction and can be exploited remotely over the network with low complexity, given that the attacker must be authenticated (PR:L). The CVSS 3.1 base score of 7.7 reflects high confidentiality impact due to unauthorized data disclosure, no impact on integrity or availability, and a scope change since the vulnerability affects resources beyond the attacker's privileges. This issue was fixed in version 0.6.16 of AutoGPT. No known exploits are reported in the wild as of the published date.

For European organizations using AutoGPT, especially those leveraging AI agents for sensitive or proprietary workflows, this vulnerability poses a significant risk to confidentiality. Unauthorized access to execution results could expose sensitive AI decision-making data, intellectual property, or personal data processed by the AI agents. This could lead to data breaches, regulatory non-compliance (e.g., GDPR violations), and loss of competitive advantage. Since the vulnerability does not affect integrity or availability, operational disruption is unlikely, but the exposure of confidential information alone can have severe reputational and financial consequences. Organizations in sectors such as finance, healthcare, research, and government that adopt AutoGPT for AI automation are particularly at risk. The requirement for authentication limits exploitation to insiders or compromised accounts, but insider threats or credential theft scenarios remain plausible. The scope change indicates that attackers can access data beyond their authorized domain, increasing the severity of the breach.

European organizations should immediately upgrade AutoGPT to version 0.6.16 or later to remediate this vulnerability. Until patching is possible, organizations should restrict access to the external API endpoints to trusted networks and users, implement strict monitoring and logging of API calls to detect anomalous access patterns, and enforce strong authentication and authorization controls, including multi-factor authentication to reduce the risk of credential compromise. Additionally, organizations should conduct audits of existing execution results access logs to identify potential unauthorized access. Network segmentation and API gateway policies can be employed to limit exposure of the vulnerable endpoint. Developers should review custom integrations with AutoGPT to ensure they do not bypass internal API protections. Finally, organizations should incorporate this vulnerability into their incident response plans and ensure staff are aware of the risk and remediation steps.