CVE-2026-24780
Unknown Unknown - Not Provided
Remote Code Execution in AutoGPT Block Execution API

Publication date: 2026-01-29

Last updated on: 2026-02-17

Assigner: GitHub, Inc.

Description
AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.44, AutoGPT Platform's block execution endpoints (both main web API and external API) allow executing blocks by UUID without checking the `disabled` flag. Any authenticated user can execute the disabled `BlockInstallationBlock`, which writes arbitrary Python code to the server filesystem and executes it via `__import__()`, achieving Remote Code Execution. In default self-hosted deployments where Supabase signup is enabled, an attacker can self-register; if signup is disabled (e.g., hosted), the attacker needs an existing account. autogpt-platform-beta-v0.6.44 contains a fix.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-29
Last Modified
2026-02-17
Generated
2026-06-16
AI Q&A
2026-01-29
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24780
EUVD
EUVD-2026-4964
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
agpt autogpt_platform From 0.1.0 (inc) to 0.6.44 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-276 During installation, installed file permissions are set to allow anyone to modify those files.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-24780 is a critical Remote Code Execution (RCE) vulnerability in the AutoGPT Platform. The platform's block execution endpoints allow executing blocks by UUID without verifying if the block is disabled. Specifically, the disabled flag on blocks is documented but not enforced during execution, enabling any authenticated user to execute a disabled special block called BlockInstallationBlock. This block has a hardcoded public UUID and, when executed, writes arbitrary Python code supplied by the user to the server filesystem and immediately executes it via Python's __import__() function. This flaw allows attackers to run arbitrary code on the backend server, leading to full remote code execution. [2]

Impact Analysis

This vulnerability can have severe impacts. An attacker who exploits it can fully compromise the server running the AutoGPT Platform. They can access all user data, credentials, API keys, environment variables (including cloud secrets), and move laterally to connected infrastructure such as Redis, PostgreSQL, and cloud services. Additionally, attackers can install persistent backdoors, maintaining long-term access to the system. The vulnerability requires only low privileges (any authenticated user) and no user interaction, making it highly exploitable especially in self-hosted deployments with open signup. [2]

Detection Guidance

You can detect this vulnerability by checking if your AutoGPT Platform deployment is running a version prior to autogpt-platform-beta-v0.6.44 and if the block execution endpoints allow execution of blocks by UUID without verifying the disabled flag. Specifically, look for requests to the endpoints POST /blocks/{block_id}/execute or POST /external-api/v1/blocks/{block_id}/execute using the known UUID 45e78db5-03e9-447f-9395-308d712f5f08 (the disabled BlockInstallationBlock). Commands to detect exploitation attempts could include monitoring web server logs or API access logs for POST requests to these endpoints with that UUID. For example, using grep on logs: `grep 'POST /blocks/45e78db5-03e9-447f-9395-308d712f5f08/execute' /var/log/autogpt/access.log` or similar for your environment. Additionally, monitor for creation of unexpected Python files on the server filesystem or unusual __import__() executions if you have application-level logging. Since the vulnerability requires authentication, check for suspicious authenticated API calls with EXECUTE_BLOCK permissions. However, no specific detection commands are provided in the resources. [2]

Mitigation Strategies

The immediate mitigation step is to upgrade your AutoGPT Platform deployment to version autogpt-platform-beta-v0.6.44 or later, which contains the fix that enforces the disabled flag on block execution endpoints. Additionally, if you are running a self-hosted deployment with signup enabled, consider disabling signup to prevent attackers from self-registering low-privilege accounts. Restrict API key permissions to prevent arbitrary minting of EXECUTE_BLOCK keys by users. Monitor and audit API usage for suspicious block execution attempts. Applying these steps will prevent exploitation of the vulnerability that allows remote code execution via the disabled BlockInstallationBlock. [2]

Compliance Impact

This vulnerability allows attackers to fully compromise the server, including access to all user data, credentials, API keys, environment variables, and connected infrastructure. Such unauthorized access and potential data breaches can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information. Therefore, exploitation of this vulnerability poses a significant risk to compliance with these standards. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24780. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart