Description
AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. In versions 0.6.34 through 0.6.51, the backend deserializes Redis cache bytes using pickle.loads without integrity/authenticity checks. The write path serializes values with pickle.dumps(...) into Redis and the read path blindly invokes pickle.loads(...) on bytes with no HMAC/signature or strict schema validation gating deserialization. If an attacker can poison a shared-cache key in Redis, arbitrary command execution is possible in the backend container context, affecting confidentiality, integrity, and availability. This issue has been fixed in version 0.6.52.
Published: 2026-05-19
Score: 7.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

AutoGPT versions 0.6.34 through 0.6.51 deserialize Redis cache entries using pickle.loads without any integrity or authenticity verification, allowing an attacker who can poison a shared cache key to execute arbitrary code in the backend container. The vulnerability is classed as CWE-345, CWE-502, and CWE-94; it can compromise confidentiality, integrity, and availability and carries a CVSS score of 7.6.

Affected Systems

The affected product is Significant‑Gravitas AutoGPT. Versions 0.6.34 to 0.6.51 are vulnerable; the issue was addressed in version 0.6.52 and later.

Risk and Exploitability

The EPSS score is not available, but the CVSS rating indicates a high risk. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves an adversary who can write to a Redis cache key, either by direct access to the Redis instance or by exploiting an application path that writes to the cache without validation. No known publicly available exploits have been reported.

Generated by OpenCVE AI on May 19, 2026 at 02:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to AutoGPT version 0.6.52 or later to eliminate the insecure pickle deserialization
  • Flush all existing Redis cache entries to remove any potentially malicious pickled data
  • Restrict write access to Redis by enforcing authentication, firewall rules, or network segmentation

Generated by OpenCVE AI on May 19, 2026 at 02:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Significant-gravitas
Significant-gravitas autogpt
Vendors & Products Significant-gravitas
Significant-gravitas autogpt

Tue, 19 May 2026 01:30:00 +0000

Type Values Removed Values Added
Description AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. In versions 0.6.34 through 0.6.51, the backend deserializes Redis cache bytes using pickle.loads without integrity/authenticity checks. The write path serializes values with pickle.dumps(...) into Redis and the read path blindly invokes pickle.loads(...) on bytes with no HMAC/signature or strict schema validation gating deserialization. If an attacker can poison a shared-cache key in Redis, arbitrary command execution is possible in the backend container context, affecting confidentiality, integrity, and availability. This issue has been fixed in version 0.6.52.
Title AutoGPT Platform: Remote Code Execution via Unsafe Pickle Deserialization of Redis Cache Entries
Weaknesses CWE-345
CWE-502
CWE-94
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Significant-gravitas Autogpt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-19T00:46:49.642Z

Reserved: 2026-03-18T02:42:27.507Z

Link: CVE-2026-33233

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-19T02:16:15.840

Modified: 2026-05-19T02:16:15.840

Link: CVE-2026-33233

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T02:30:35Z

Weaknesses