CVE-2026-24780
Remote Code Execution in AutoGPT Block Execution API
Publication date: 2026-01-29
Last updated on: 2026-02-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| agpt | autogpt_platform | From 0.1.0 (inc) to 0.6.44 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-276 | During installation, installed file permissions are set to allow anyone to modify those files. |
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-24780 is a critical Remote Code Execution (RCE) vulnerability in the AutoGPT Platform. The platform's block execution endpoints allow executing blocks by UUID without verifying if the block is disabled. Specifically, the disabled flag on blocks is documented but not enforced during execution, enabling any authenticated user to execute a disabled special block called BlockInstallationBlock. This block has a hardcoded public UUID and, when executed, writes arbitrary Python code supplied by the user to the server filesystem and immediately executes it via Python's __import__() function. This flaw allows attackers to run arbitrary code on the backend server, leading to full remote code execution. [2]
How can this vulnerability impact me? :
This vulnerability can have severe impacts. An attacker who exploits it can fully compromise the server running the AutoGPT Platform. They can access all user data, credentials, API keys, environment variables (including cloud secrets), and move laterally to connected infrastructure such as Redis, PostgreSQL, and cloud services. Additionally, attackers can install persistent backdoors, maintaining long-term access to the system. The vulnerability requires only low privileges (any authenticated user) and no user interaction, making it highly exploitable especially in self-hosted deployments with open signup. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking if your AutoGPT Platform deployment is running a version prior to autogpt-platform-beta-v0.6.44 and if the block execution endpoints allow execution of blocks by UUID without verifying the disabled flag. Specifically, look for requests to the endpoints POST /blocks/{block_id}/execute or POST /external-api/v1/blocks/{block_id}/execute using the known UUID 45e78db5-03e9-447f-9395-308d712f5f08 (the disabled BlockInstallationBlock). Commands to detect exploitation attempts could include monitoring web server logs or API access logs for POST requests to these endpoints with that UUID. For example, using grep on logs: `grep 'POST /blocks/45e78db5-03e9-447f-9395-308d712f5f08/execute' /var/log/autogpt/access.log` or similar for your environment. Additionally, monitor for creation of unexpected Python files on the server filesystem or unusual __import__() executions if you have application-level logging. Since the vulnerability requires authentication, check for suspicious authenticated API calls with EXECUTE_BLOCK permissions. However, no specific detection commands are provided in the resources. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade your AutoGPT Platform deployment to version autogpt-platform-beta-v0.6.44 or later, which contains the fix that enforces the disabled flag on block execution endpoints. Additionally, if you are running a self-hosted deployment with signup enabled, consider disabling signup to prevent attackers from self-registering low-privilege accounts. Restrict API key permissions to prevent arbitrary minting of EXECUTE_BLOCK keys by users. Monitor and audit API usage for suspicious block execution attempts. Applying these steps will prevent exploitation of the vulnerability that allows remote code execution via the disabled BlockInstallationBlock. [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows attackers to fully compromise the server, including access to all user data, credentials, API keys, environment variables, and connected infrastructure. Such unauthorized access and potential data breaches can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information. Therefore, exploitation of this vulnerability poses a significant risk to compliance with these standards. [2]