CVE-2026-33233
Deferred Deferred - Pending Action
Remote Code Execution in AutoGPT via Unsafe Redis Cache Deserialization

Publication date: 2026-05-19

Last updated on: 2026-05-19

Assigner: GitHub, Inc.

Description
AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. In versions 0.6.34 through 0.6.51, the backend deserializes Redis cache bytes using pickle.loads without integrity/authenticity checks. The write path serializes values with pickle.dumps(...) into Redis and the read path blindly invokes pickle.loads(...) on bytes with no HMAC/signature or strict schema validation gating deserialization. If an attacker can poison a shared-cache key in Redis, arbitrary command execution is possible in the backend container context, affecting confidentiality, integrity, and availability. This issue has been fixed in version 0.6.52.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-19
Last Modified
2026-05-19
Generated
2026-06-10
AI Q&A
2026-05-19
EPSS Evaluated
2026-06-08
NVD
CVE-2026-33233
EUVD
EUVD-2026-30817
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
significant_gravitas autogpt From 0.6.34 (inc) to 0.6.51 (inc)
significant_gravitas autogpt 0.6.52
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the AutoGPT platform backend where it uses Python's pickle module to deserialize cached data from Redis without any integrity or authenticity checks.

Specifically, the backend serializes data with pickle.dumps and deserializes it with pickle.loads blindly, without verifying the data's source or structure.

If an attacker can poison a shared Redis cache key, they can inject malicious pickle payloads that execute arbitrary commands in the backend container context.

This leads to remote code execution (RCE), allowing the attacker to compromise the system's confidentiality, integrity, and availability.

Impact Analysis

If exploited, this vulnerability allows an attacker with access to poison the Redis cache to execute arbitrary commands on the backend server running AutoGPT.

This can lead to full compromise of the backend container, affecting confidentiality by exposing sensitive data, integrity by altering or injecting malicious data, and availability by disrupting service.

The severity is high, with a CVSS score of 7.6, indicating significant potential damage.

Detection Guidance

This vulnerability can be detected by checking if the AutoGPT backend is using unsafe deserialization of Redis cache data with pickle.loads without integrity or authenticity checks.

One practical way to detect exploitation attempts is to monitor Redis cache keys for suspicious or unexpected serialized payloads that could contain malicious pickle data.

A proof-of-concept attack involves injecting a malicious pickle payload into Redis that executes arbitrary commands, such as creating a file like /tmp/autogpt_pickle_rce_official.

  • Use Redis CLI commands to inspect cache keys, for example: `redis-cli KEYS '*'` to list keys and `redis-cli GET <key>` to view their contents.
  • Look for unusual or unexpected binary data in Redis values that might indicate malicious pickle payloads.
  • Check the backend logs or filesystem for artifacts of exploitation, such as the presence of files created by malicious payloads (e.g., /tmp/autogpt_pickle_rce_official).
Mitigation Strategies

Immediate mitigation steps include upgrading AutoGPT to version 0.6.52 or later, where this vulnerability has been fixed.

If upgrading is not immediately possible, consider the following measures:

  • Replace the use of pickle serialization with safer formats such as JSON or MsgPack combined with strict schema validation.
  • If binary serialization must be used, implement cryptographic signatures (HMAC) to verify data integrity before deserialization.
  • Harden Redis deployments by enforcing authentication, enabling TLS encryption, restricting network exposure, and isolating cache network access.
Compliance Impact

The vulnerability allows arbitrary command execution in the backend container context by exploiting unsafe deserialization of Redis cache data. This compromises confidentiality, integrity, and availability of the system.

Such a compromise can lead to unauthorized access or manipulation of sensitive data, which may violate compliance requirements under standards like GDPR and HIPAA that mandate protection of personal and health information.

Therefore, this vulnerability poses a significant risk to meeting these regulatory standards due to potential data breaches and loss of data integrity.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33233. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart