CVE-2026-33235
Deferred Deferred - Pending Action

Denial of Service in AutoGPT via Fill Text Template Block

Vulnerability report for CVE-2026-33235, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. In versions prior to 0.6.52, the Fill Text Template block is vulnerable to a Denial of Service (DoS) attack. While the backend implements a SandboxedEnvironment to prevent unauthorized attribute access (e.g., blocking __class__), it fails to limit the computational complexity or execution time of the expressions. An attacker can input computationally expensive Python/Jinja2 expressions that consume the server's CPU and memory, leading to a complete system hang or crash. In multi-tenant or self-hosted environments, this results in a complete service outage and "noisy neighbor" effects that require manual administrative intervention to recover. This issue has been fixed in version 0.6.52.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-25
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
autogpt autogpt to 0.6.52 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects the Fill Text Template block in AutoGPT versions prior to 0.6.52. Although the backend uses a SandboxedEnvironment to block unauthorized attribute access, it does not limit the computational complexity or execution time of expressions. An attacker can exploit this by submitting computationally expensive Python or Jinja2 expressions that consume excessive CPU and memory resources.

As a result, the server can hang or crash, causing a Denial of Service (DoS) condition.

Impact Analysis

The vulnerability can lead to a complete system hang or crash due to resource exhaustion caused by expensive computations.

In multi-tenant or self-hosted environments, this can cause a full service outage and "noisy neighbor" effects, where one tenant's actions degrade the service for others.

Recovery requires manual administrative intervention, which can lead to downtime and operational disruption.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade AutoGPT to version 0.6.52 or later, where the issue has been fixed.

This update addresses the problem by limiting the computational complexity and execution time of expressions in the Fill Text Template block, preventing Denial of Service attacks caused by expensive Python/Jinja2 expressions.

Compliance Impact

The vulnerability in AutoGPT's Fill Text Template block allows an attacker to cause a Denial of Service (DoS) by exhausting server CPU and memory resources, leading to system hangs or crashes. This can result in complete service outages and require manual intervention to recover.

While the vulnerability impacts availability, it does not directly affect confidentiality or integrity of data. Therefore, its primary compliance impact relates to availability requirements under standards like GDPR and HIPAA, which mandate ensuring system availability and resilience.

In multi-tenant or self-hosted environments, such outages could disrupt service continuity and potentially violate availability obligations under these regulations, possibly leading to non-compliance if not properly mitigated or remediated.

Detection Guidance

This vulnerability can be detected by monitoring the AutoGPT backend for signs of excessive CPU and memory usage, especially when processing Fill Text Template blocks. A key indicator is the presence of computationally expensive Jinja2 expressions causing resource exhaustion and system hangs or crashes.

One practical approach is to observe system resource usage during template processing and look for unusually high CPU or memory consumption.

Suggested commands to detect potential exploitation or resource exhaustion include:

  • Using top or htop to monitor CPU and memory usage: `top` or `htop`
  • Checking for processes consuming excessive resources: `ps aux --sort=-%cpu | head -n 10` or `ps aux --sort=-%mem | head -n 10`
  • Reviewing system logs for Out-of-Memory Killer events: `dmesg | grep -i 'killed process'`
  • Monitoring the AutoGPT backend logs for queued tasks or service outages indicating a hang or crash.

Additionally, submitting test payloads with computationally expensive expressions like `{{ (999999999**999999999) }}` in a controlled environment can help confirm if the system is vulnerable.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33235. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart