The vulnerability allows clients to call POST /api/blocks/{block_id}/execute and execute blocks without consuming credits, bypassing the credit enforcement that normally protects the platform. Because this bypass occurs when blocks are invoked directly via the external API, an attacker can repeatedly execute any block unlimited times. The result is that the platform can be forced to consume server resources and incur costs without payment, leading to a denial of service condition, financial losses, and potential flooding of the network. The weakness stems from improper validation of the credit balance before executing the user‑supplied block, classified as CWE-770 and CWE-841.

Affected systems include the Significant‑Gravitas AutoGPT workflow automation platform. Version 0.6.58 and earlier are vulnerable; the issue was fixed in version 0.6.59. No other products or vendor versions are referenced.

The CVSS score of 5.4 indicates moderate severity. EPSS is not available, and the vulnerability is not currently listed in the CISA KEV catalog. The exploit path is through the exposed API endpoint; authentication requirements are not detailed in the advisory, so the location and composition of authentication may affect feasibility. The most likely attack vector is remote over the network, allowing an unauthenticated or low‑privileged user with API access to trigger extensive block execution, exhausting resources and ignoring credit checks.