CVE-2026-56823: CWE-284: Improper Access Control in Significant-Gravitas AutoGPT
CVE-2026-56823 is an improper access control vulnerability in Significant-Gravitas AutoGPT. The issue occurs in the POST /api/integrations/webhooks/{webhook_id}/ping endpoint, which fetches a webhook by its primary key without verifying ownership by the authenticated user. This allows any authenticated user to confirm the existence of arbitrary webhooks, leak OAuth provider types, and potentially trigger ping deliveries on behalf of other users. The vulnerability has a medium severity with a CVSS score of 5.4. No affected versions or patch information are explicitly provided.
AI Analysis
Technical Summary
AutoGPT's POST /api/integrations/webhooks/{webhook_id}/ping endpoint does not verify that the webhook belongs to the authenticated user before fetching it by primary key. This improper access control (CWE-284) enables authenticated users to enumerate webhooks, leak OAuth provider information, and in some cases trigger webhook pings on behalf of other users. The vulnerability is identified as CVE-2026-56823 with a CVSS 3.1 base score of 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N). No vendor advisory or patch details are provided, and the affected versions are unspecified.
Potential Impact
An authenticated user can confirm the existence of arbitrary webhooks belonging to other users, leak information about the webhook's OAuth provider type, and potentially trigger webhook ping deliveries on behalf of other users. This leads to information disclosure and limited integrity impact. There is no indication of availability impact. The vulnerability requires low attack complexity and privileges but no user interaction.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the webhook ping endpoint to only allow operations on webhooks owned by the authenticated user. Monitor for unusual webhook activity and consider implementing additional access controls to prevent unauthorized webhook enumeration and triggering.
CVE-2026-56823: CWE-284: Improper Access Control in Significant-Gravitas AutoGPT
Description
CVE-2026-56823 is an improper access control vulnerability in Significant-Gravitas AutoGPT. The issue occurs in the POST /api/integrations/webhooks/{webhook_id}/ping endpoint, which fetches a webhook by its primary key without verifying ownership by the authenticated user. This allows any authenticated user to confirm the existence of arbitrary webhooks, leak OAuth provider types, and potentially trigger ping deliveries on behalf of other users. The vulnerability has a medium severity with a CVSS score of 5.4. No affected versions or patch information are explicitly provided.
CVSS v3.1
Score 5.4medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
AutoGPT's POST /api/integrations/webhooks/{webhook_id}/ping endpoint does not verify that the webhook belongs to the authenticated user before fetching it by primary key. This improper access control (CWE-284) enables authenticated users to enumerate webhooks, leak OAuth provider information, and in some cases trigger webhook pings on behalf of other users. The vulnerability is identified as CVE-2026-56823 with a CVSS 3.1 base score of 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N). No vendor advisory or patch details are provided, and the affected versions are unspecified.
Potential Impact
An authenticated user can confirm the existence of arbitrary webhooks belonging to other users, leak information about the webhook's OAuth provider type, and potentially trigger webhook ping deliveries on behalf of other users. This leads to information disclosure and limited integrity impact. There is no indication of availability impact. The vulnerability requires low attack complexity and privileges but no user interaction.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the webhook ping endpoint to only allow operations on webhooks owned by the authenticated user. Monitor for unusual webhook activity and consider implementing additional access controls to prevent unauthorized webhook enumeration and triggering.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-23T14:55:09.116Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3eae476e08203f7dc7e0d5
Added to database: 06/26/2026, 16:52:23 UTC
Last enriched: 06/26/2026, 17:07:01 UTC
Last updated: 06/26/2026, 17:07:01 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.