Description
AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. In versions 0.6.34 through 0.6.51, the backend deserializes Redis cache bytes using pickle.loads without integrity/authenticity checks. The write path serializes values with pickle.dumps(...) into Redis and the read path blindly invokes pickle.loads(...) on bytes with no HMAC/signature or strict schema validation gating deserialization. If an attacker can poison a shared-cache key in Redis, arbitrary command execution is possible in the backend container context, affecting confidentiality, integrity, and availability. This issue has been fixed in version 0.6.52.
Published: 2026-05-19
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

AutoGPT versions 0.6.34 through 0.6.51 deserialize Redis cache entries using pickle.loads without any integrity or authenticity verification, allowing an attacker who can poison a shared cache key to execute arbitrary code in the backend container. The vulnerability is classed as CWE-345, CWE-502, and CWE-94; it can compromise confidentiality, integrity, and availability and carries a CVSS score of 7.6.

Affected Systems

The affected product is Significant‑Gravitas AutoGPT. Versions 0.6.34 to 0.6.51 are vulnerable; the issue was addressed in version 0.6.52 and later.

Risk and Exploitability

The EPSS score is not available, but the CVSS rating indicates a high risk. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves an adversary who can write to a Redis cache key, either by direct access to the Redis instance or by exploiting an application path that writes to the cache without validation. No known publicly available exploits have been reported.

Generated by OpenCVE AI on May 19, 2026 at 02:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to AutoGPT version 0.6.52 or later to eliminate the insecure pickle deserialization
  • Flush all existing Redis cache entries to remove any potentially malicious pickled data
  • Restrict write access to Redis by enforcing authentication, firewall rules, or network segmentation

Generated by OpenCVE AI on May 19, 2026 at 02:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 19 May 2026 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Significant-gravitas
Significant-gravitas autogpt
Vendors & Products Significant-gravitas
Significant-gravitas autogpt

Tue, 19 May 2026 01:30:00 +0000

Type Values Removed Values Added
Description AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. In versions 0.6.34 through 0.6.51, the backend deserializes Redis cache bytes using pickle.loads without integrity/authenticity checks. The write path serializes values with pickle.dumps(...) into Redis and the read path blindly invokes pickle.loads(...) on bytes with no HMAC/signature or strict schema validation gating deserialization. If an attacker can poison a shared-cache key in Redis, arbitrary command execution is possible in the backend container context, affecting confidentiality, integrity, and availability. This issue has been fixed in version 0.6.52.
Title AutoGPT Platform: Remote Code Execution via Unsafe Pickle Deserialization of Redis Cache Entries
Weaknesses CWE-345
CWE-502
CWE-94
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Significant-gravitas Autogpt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-19T13:42:05.971Z

Reserved: 2026-03-18T02:42:27.507Z

Link: CVE-2026-33233

cve-icon Vulnrichment

Updated: 2026-05-19T12:56:28.581Z

cve-icon NVD

Status : Deferred

Published: 2026-05-19T02:16:15.840

Modified: 2026-05-19T15:16:30.033

Link: CVE-2026-33233

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T02:30:35Z

Weaknesses
  • CWE-345

    Insufficient Verification of Data Authenticity

  • CWE-502

    Deserialization of Untrusted Data

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')