CVE-2026-56663 - Vulnerability Details

- AutoGPT: SSRF-to-RCE Chain in `SendWebRequestBlock` via IP validation bypass and internal `pg-meta` access

Description

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.52, an authenticated user can bypass the SSRF / private-IP protections in SendWebRequestBlock and reach internal network services. _is_ip_blocked() in backend/backend/util/request.py does not normalize IPv4-mapped IPv6 addresses before checking resolved IPs against the blocked IPv4 ranges, and does not block special-use ranges such as 100.64.0.0/10 (CGNAT, RFC 6598). A hostname that resolves to an IPv4-mapped IPv6 address therefore passes validation and the request reaches the embedded internal IPv4 endpoint. This affects all AutoGPT Platform deployments. This vulnerability is fixed in 0.6.52.

Published: 2026-06-26

Score: 8.5 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the SendWebRequestBlock component of the AutoGPT Platform. An authenticated user can supply an IPv4‑mapped IPv6 address that bypasses the backend’s IP validation, allowing a request to reach internal network services. This SSRF bypass can be chained to internal endpoints and potentially result in remote code execution. The weakness is classified as CWE‑918.

Affected Systems

All deployments of Significant‑Gravitas AutoGPT Platform running a version prior to 0.6.52 are affected, encompassing every instance that has not applied the 0.6.52 update.

Risk and Exploitability

With a CVSS score of 8.5 the flaw is high severity, and the EPSS score is not available. The vulnerability is not listed in CISA KEV, but it requires authenticated access and operates over the internal network, making it a serious risk if exploited. An attacker with platform credentials can trigger the SSRF and reach internal services, potentially leading to code execution.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Significant-Gravitas

AutoGPT

affected

Version	Status	Constraints
`< 0.6.52`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the AutoGPT Platform to version 0.6.52 or later to apply the fixed IP validation logic.
As a temporary patch, configure the backend or network firewall to reject IPv4‑mapped IPv6 addresses and special‑use IP ranges such as 100.64.0.0/10, blocking SSRF attempts.
Enforce strict role‑based access control on the SendWebRequestBlock API and enable audit logging to detect and prevent unauthorized use.

Generated by OpenCVE AI on June 26, 2026 at 18:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-8qc5-rhmg-r6r6

History

Fri, 26 Jun 2026 19:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 26 Jun 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.52, an authenticated user can bypass the SSRF / private-IP protections in SendWebRequestBlock and reach internal network services. _is_ip_blocked() in backend/backend/util/request.py does not normalize IPv4-mapped IPv6 addresses before checking resolved IPs against the blocked IPv4 ranges, and does not block special-use ranges such as 100.64.0.0/10 (CGNAT, RFC 6598). A hostname that resolves to an IPv4-mapped IPv6 address therefore passes validation and the request reaches the embedded internal IPv4 endpoint. This affects all AutoGPT Platform deployments. This vulnerability is fixed in 0.6.52.
Title		AutoGPT: SSRF-to-RCE Chain in `SendWebRequestBlock` via IP validation bypass and internal `pg-meta` access
Weaknesses		CWE-918
References		https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-8qc5-rhmg-r6r6
Metrics		cvssV3_1 `{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-26T16:04:54.364Z

Updated: 2026-06-26T18:13:02.468Z

Reserved: 2026-06-22T16:39:01.043Z

Link: CVE-2026-56663

Vulnrichment

Updated: 2026-06-26T18:12:15.338Z

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-26T18:45:03Z

Weaknesses

CWE-918
Server-Side Request Forgery (SSRF)

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object