Description
AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to 0.6.48, an authenticated user could achieve Remote Code Execution (RCE) on the backend server by embedding a disabled block inside a graph. The BlockInstallationBlock — a development tool capable of writing and importing arbitrary Python code — was marked disabled=True, but graph validation did not enforce this flag. This allowed any authenticated user to bypass the restriction by including the block as a node in a graph, rather than calling the block's execution endpoint directly (which did enforce the flag). This vulnerability is fixed in 0.6.48.
Published: 2026-02-12
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

This vulnerability allows an authenticated user to execute arbitrary Python code on the AutoGPT backend by embedding a BlockInstallationBlock, a development tool that can write and import arbitrary code, inside a workflow graph. The block is intended to be disabled, but graph validation does not enforce this flag, enabling the user to bypass the intended restriction. The flaw is an improper authorization weakness (CWE‑285), providing full control over the server where AutoGPT runs.

Affected Systems

Any installation of Significant‑Gravitas AutoGPT prior to version 0.6.48 is affected. The issue was fixed in release 0.6.48; further releases include the patch.

Risk and Exploitability

The CVSS score of 9.4 indicates a critical impact, while the EPSS score of less than 1% suggests that active exploitation has not been widely observed, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an authenticated user with permissions to create or modify workflow graphs; such a user can embed the vulnerable block and immediately gain code execution capabilities on the backend server.

Generated by OpenCVE AI on April 18, 2026 at 12:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AutoGPT to version 0.6.48 or later, which removes the vulnerable block functionality.
  • Disable or restrict the BlockInstallationBlock development tool for all users, ensuring the disabled=True flag is enforced during graph validation.
  • Review and tighten user permissions so that only trusted accounts can create or modify workflow graphs; eliminate the ability to embed arbitrary code blocks in production deployments.

Generated by OpenCVE AI on April 18, 2026 at 12:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Agpt
Agpt autogpt Platform
CPEs cpe:2.3:a:agpt:autogpt_platform:*:beta:*:*:*:*:*:*
Vendors & Products Agpt
Agpt autogpt Platform
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 13 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Significant-gravitas
Significant-gravitas autogpt
Vendors & Products Significant-gravitas
Significant-gravitas autogpt

Thu, 12 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
Description AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to 0.6.48, an authenticated user could achieve Remote Code Execution (RCE) on the backend server by embedding a disabled block inside a graph. The BlockInstallationBlock — a development tool capable of writing and importing arbitrary Python code — was marked disabled=True, but graph validation did not enforce this flag. This allowed any authenticated user to bypass the restriction by including the block as a node in a graph, rather than calling the block's execution endpoint directly (which did enforce the flag). This vulnerability is fixed in 0.6.48.
Title AutoGPT Affected by Remote Code Execution via Dynamic Module Import in Block Loading (__import__)
Weaknesses CWE-285
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Agpt Autogpt Platform
Significant-gravitas Autogpt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-12T21:04:07.769Z

Reserved: 2026-02-09T21:36:29.554Z

Link: CVE-2026-26020

cve-icon Vulnrichment

Updated: 2026-02-12T21:03:52.187Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-12T21:16:03.500

Modified: 2026-02-17T20:10:42.077

Link: CVE-2026-26020

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T12:45:45Z

Weaknesses