Description
AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. In versions 0.1.0 through 0.6.51, SendEmailBlock in autogpt_platform/backend/backend/blocks/email_block.py accepts a user-supplied smtp_server (string) and smtp_port (integer) as per-execution block inputs, then passes them directly to Python's smtplib.SMTP() to open a raw TCP connection with no IP address validation. This completely bypasses the platform's hardened SSRF protections in backend/util/request.py — the validate_url_host() function and BLOCKED_IP_NETWORKS blocklist that every other block uses to block connections to private, loopback, link-local, and cloud metadata addresses. An authenticated user on a shared AutoGPT deployment can use this to perform non-blind internal network port scanning and service fingerprinting: smtplib reads the target's TCP banner on connect and embeds it in the exception message, which is persisted as user-visible block output via the execution framework. This issue has been fixed in version 0.6.52.
Published: 2026-05-19
Score: 5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The SendEmailBlock accepts a user‑supplied SMTP server address and port and forwards them directly to Python's smtplib without performing any IP validation. This bypasses AutoGPT's hardened SSRF protections that normally block connections to private, loopback, link‑local and cloud metadata addresses. As a consequence, an authenticated user on a shared deployment can instruct the platform to open a raw TCP connection to any internal host, read the service banner on connect, and display the banner in the block output, effectively providing non‑blind internal port scanning and service fingerprinting.

Affected Systems

The vulnerability affects Significant‑Gravitas AutoGPT platform versions 0.1.0 through 0.6.51. It is fixed in version 0.6.52 and later.

Risk and Exploitability

With a CVSS score of 5 the issue represents moderate severity. EPSS information is not available and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector requires an authenticated user on a shared deployment and allows that user to probe internal network services via arbitrary SMTP endpoints. The potential impact is internal reconnaissance that could facilitate further attacks on exposed internal resources. The overall risk is therefore moderate but should be addressed promptly.

Generated by OpenCVE AI on May 19, 2026 at 02:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AutoGPT to version 0.6.52 or later, where the SMTP host validation has been restored.
  • If an immediate upgrade is not possible, disable or restrict the SendEmailBlock for authenticated users to prevent exploitation.
  • Implement perimeter firewall rules or host‑based intrusion prevention to block outbound SMTP connections from AutoGPT servers to internal IP ranges.

Generated by OpenCVE AI on May 19, 2026 at 02:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Significant-gravitas
Significant-gravitas autogpt
Vendors & Products Significant-gravitas
Significant-gravitas autogpt

Tue, 19 May 2026 01:30:00 +0000

Type Values Removed Values Added
Description AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. In versions 0.1.0 through 0.6.51, SendEmailBlock in autogpt_platform/backend/backend/blocks/email_block.py accepts a user-supplied smtp_server (string) and smtp_port (integer) as per-execution block inputs, then passes them directly to Python's smtplib.SMTP() to open a raw TCP connection with no IP address validation. This completely bypasses the platform's hardened SSRF protections in backend/util/request.py — the validate_url_host() function and BLOCKED_IP_NETWORKS blocklist that every other block uses to block connections to private, loopback, link-local, and cloud metadata addresses. An authenticated user on a shared AutoGPT deployment can use this to perform non-blind internal network port scanning and service fingerprinting: smtplib reads the target's TCP banner on connect and embeds it in the exception message, which is persisted as user-visible block output via the execution framework. This issue has been fixed in version 0.6.52.
Title AutoGPT: SendEmailBlock's IP blocklist bypass allows SSRF via user-controlled SMTP server
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Significant-gravitas Autogpt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-19T00:51:41.350Z

Reserved: 2026-03-18T02:42:27.508Z

Link: CVE-2026-33234

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-19T02:16:16.010

Modified: 2026-05-19T02:16:16.010

Link: CVE-2026-33234

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T02:30:35Z

Weaknesses