CVE-2026-26020
Awaiting Analysis Awaiting Analysis - Queue
Remote Code Execution via Disabled Block Bypass in AutoGPT

Publication date: 2026-02-12

Last updated on: 2026-02-17

Assigner: GitHub, Inc.

Description
AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to 0.6.48, an authenticated user could achieve Remote Code Execution (RCE) on the backend server by embedding a disabled block inside a graph. The BlockInstallationBlock β€” a development tool capable of writing and importing arbitrary Python code β€” was marked disabled=True, but graph validation did not enforce this flag. This allowed any authenticated user to bypass the restriction by including the block as a node in a graph, rather than calling the block's execution endpoint directly (which did enforce the flag). This vulnerability is fixed in 0.6.48.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-12
Last Modified
2026-02-17
Generated
2026-06-16
AI Q&A
2026-02-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26020
EUVD
EUVD-2026-6688
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
agpt autogpt_platform to 0.6.48 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-26020 is a critical security vulnerability in the AutoGPT platform that allowed authenticated users to execute arbitrary Python code on the backend server. This was possible because a special development block called BlockInstallationBlock, which was marked as disabled to prevent its use, was not properly checked during graph validation. Although the block was disabled and hidden from the user interface, the validation process did not enforce this disabled status when the block was included as a node in a graph. As a result, users could bypass restrictions and achieve Remote Code Execution (RCE) by embedding this disabled block inside a graph.

The vulnerability was fixed in version 0.6.48 by adding strict checks during graph validation and execution to reject any graph containing disabled blocks and prevent their execution at runtime.

Impact Analysis

This vulnerability allows any authenticated user with low privileges to execute arbitrary code on the backend server, leading to a full compromise of the system.

  • Attackers can gain full access to environment secrets such as database credentials and service keys.
  • They can read from and write to the database directly.
  • It enables lateral movement to internal services within the network.
  • Attackers can maintain persistence by accessing and modifying files on disk within the container.

Overall, this vulnerability severely compromises the confidentiality, integrity, and availability of the affected system.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "To detect exploitation of CVE-2026-26020 on your system, you should audit your AutoGPT instance for graphs that include the vulnerable disabled block with ID '45e78db5-03e9-447f-9395-308d712f5f08'. This can be done by querying the database for any graphs referencing this block ID."}, {'type': 'paragraph', 'content': 'Additionally, check for unauthorized Python files in the backend/blocks/ directory, which may indicate arbitrary code execution attempts.'}, {'type': 'paragraph', 'content': 'Suggested commands include database queries to find graphs containing the vulnerable block ID and filesystem searches for suspicious Python files. For example:'}, {'type': 'list_item', 'content': "SQL query to find graphs with the vulnerable block ID: SELECT * FROM graphs WHERE nodes LIKE '%45e78db5-03e9-447f-9395-308d712f5f08%';"}, {'type': 'list_item', 'content': "Filesystem search for unauthorized Python files: find backend/blocks/ -type f -name '*.py' -exec ls -l {} \\;"}, {'type': 'paragraph', 'content': 'If such entries or files are found, treat the instance as compromised and conduct a thorough security audit.'}] [2]

Mitigation Strategies

The primary mitigation step is to update AutoGPT to version 0.6.48 or later, where the vulnerability is fixed by enforcing the disabled flag during graph validation and execution.

If you are running a self-hosted instance, immediately apply the patch or upgrade to the fixed release to prevent exploitation.

If you suspect your instance has been compromised, rotate all backend secrets such as database credentials and service keys, and audit for unauthorized changes or persistence mechanisms.

Additionally, review your system logs and database for signs of exploitation as described in detection steps.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26020. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart