Description
AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.44, AutoGPT Platform's block execution endpoints (both main web API and external API) allow executing blocks by UUID without checking the `disabled` flag. Any authenticated user can execute the disabled `BlockInstallationBlock`, which writes arbitrary Python code to the server filesystem and executes it via `__import__()`, achieving Remote Code Execution. In default self-hosted deployments where Supabase signup is enabled, an attacker can self-register; if signup is disabled (e.g., hosted), the attacker needs an existing account. autogpt-platform-beta-v0.6.44 contains a fix.
Published: 2026-01-29
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises because the AutoGPT Platform’s block execution endpoints allow an authenticated user to execute a BlockInstallationBlock marked as disabled. The endpoint writes arbitrary Python code to the server filesystem and imports it with __import__(), giving the user full remote code execution over the host. This reflects weaknesses in permission checks (CWE‑276), incorrect function handling (CWE‑863), and code generation control (CWE‑94). The attacker can run any code with the process’s privileges, potentially taking over the system.

Affected Systems

All AutoGPT Platform instances running a version earlier than autogpt-platform-beta‑v0.6.44 are affected. The product is the AutoGPT Platform developed by Significant‑Gravitas. No additional version specifics are provided.

Risk and Exploitability

The CVSS score is 8.6, indicating high severity, while the EPSS score is below 1%, suggesting a very low probability of exploitation at the time of this analysis. The vulnerability is not listed in the CISA KEV catalog. The attack requires authentication; an adversary can self‑register in a default self‑hosted installation with signup enabled, or otherwise must obtain a valid user account. Once authenticated, the attacker can trigger the disabled block via the exposed API and achieve remote code execution, which grants full control over the server.

Generated by OpenCVE AI on April 18, 2026 at 01:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AutoGPT to autogpt-platform-beta‑v0.6.44 or newer.
  • Restart the AutoGPT service so that the new code is loaded.
  • Audit and revoke any BlockInstallationBlock instances that are disabled but may still be accessible, ensuring they are not triggered via API.

Generated by OpenCVE AI on April 18, 2026 at 01:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r277-3xc5-c79v AutoGPT is Vulnerable to RCE via Disabled Block Execution
History

Tue, 17 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Agpt
Agpt autogpt Platform
CPEs cpe:2.3:a:agpt:autogpt_platform:*:*:*:*:*:*:*:*
Vendors & Products Agpt
Agpt autogpt Platform
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 30 Jan 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Significant-gravitas
Significant-gravitas autogpt
Vendors & Products Significant-gravitas
Significant-gravitas autogpt

Thu, 29 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 29 Jan 2026 18:00:00 +0000

Type Values Removed Values Added
Description AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.44, AutoGPT Platform's block execution endpoints (both main web API and external API) allow executing blocks by UUID without checking the `disabled` flag. Any authenticated user can execute the disabled `BlockInstallationBlock`, which writes arbitrary Python code to the server filesystem and executes it via `__import__()`, achieving Remote Code Execution. In default self-hosted deployments where Supabase signup is enabled, an attacker can self-register; if signup is disabled (e.g., hosted), the attacker needs an existing account. autogpt-platform-beta-v0.6.44 contains a fix.
Title AutoGPT is Vulnerable to RCE via Disabled Block Execution
Weaknesses CWE-276
CWE-863
CWE-94
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P'}

Subscriptions

Agpt Autogpt Platform
Significant-gravitas Autogpt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-29T21:16:08.779Z

Reserved: 2026-01-26T21:06:47.869Z

Link: CVE-2026-24780

cve-icon Vulnrichment

Updated: 2026-01-29T21:16:04.283Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-29T18:16:17.080

Modified: 2026-02-17T16:04:36.780

Link: CVE-2026-24780

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T01:30:16Z

Weaknesses