Description
AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.63, `AddAudioToVideoBlock` will download and store the video and audio in a temporary directory without deleting before all noded are done. `StepThroughItemsBlock` can be used to iterate `MediaDurationBlock` multiple times. `StepThroughItemsBlock` does not limit the number of loops. In addition, `AddAudioToVideoBlock` does not limit the amount of disk space consumed in the current working directory and does not delete the video after outputing the result. When a malicious user chooses to screen shot many web pages, the disk space will eventually run out, causing a DoS. Version 0.6.63 patches the issue.
Published: 2026-06-18
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

AddAudioToVideoBlock in AutoGPT downloads and stores media in a temporary directory without removing it after completion, and it does not enforce any limits on the volume of data written to disk. Coupled with StepThroughItemsBlock, which can iterate without a bound, an attacker can cause the working directory to grow without restraint. The unlimited disk consumption can exhaust the file system, halting normal operation of the AutoGPT instance. This weakness is a classic case of uncontrolled resource consumption (CWE‑400).

Affected Systems

AutoGPT, a workflow automation platform from Significant‑Gravitas, is affected. Versions prior to 0.6.63 exhibit the flaw; the issue was fixed in 0.6.63. The vulnerability is specific to the AutoGPT engine and all related modules that rely on AddAudioToVideoBlock.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity potential. The vulnerability is not cataloged in CISA’s KEV list. Attackers can exploit the weakness by running an AutoGPT workflow that repeatedly invokes AddAudioToVideoBlock within an unlimited StepThroughItemsBlock loop, leading to rapid disk exhaustion. A user with sufficient privileges to execute AutoGPT is required to launch the attack, and no external system involvement is necessary.

Generated by OpenCVE AI on June 18, 2026 at 18:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AutoGPT to version 0.6.63 or later.
  • If an upgrade is delayed, apply disk quotas or relocate the temporary storage directory to a partition with a defined size limit to mitigate exhaustion.
  • Configure workflows to limit the number of iterations in StepThroughItemsBlock or disable it entirely to block unbounded loops.

Generated by OpenCVE AI on June 18, 2026 at 18:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Significant-gravitas
Significant-gravitas autogpt
Vendors & Products Significant-gravitas
Significant-gravitas autogpt

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.63, `AddAudioToVideoBlock` will download and store the video and audio in a temporary directory without deleting before all noded are done. `StepThroughItemsBlock` can be used to iterate `MediaDurationBlock` multiple times. `StepThroughItemsBlock` does not limit the number of loops. In addition, `AddAudioToVideoBlock` does not limit the amount of disk space consumed in the current working directory and does not delete the video after outputing the result. When a malicious user chooses to screen shot many web pages, the disk space will eventually run out, causing a DoS. Version 0.6.63 patches the issue.
Title AutoGPT has a DoS vulnerability in AddAudioToVideoBlock
Weaknesses CWE-400
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L'}


Subscriptions

Significant-gravitas Autogpt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T12:33:24.735Z

Reserved: 2025-04-08T10:54:58.368Z

Link: CVE-2025-32436

cve-icon Vulnrichment

Updated: 2026-06-22T12:32:12.563Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T19:45:15Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption