CVE-2026-56663
Received Received - Intake
SSRF Bypass via IPv4-Mapped IPv6 in AutoGPT

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description
AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.52, an authenticated user can bypass the SSRF / private-IP protections in SendWebRequestBlock and reach internal network services. _is_ip_blocked() in backend/backend/util/request.py does not normalize IPv4-mapped IPv6 addresses before checking resolved IPs against the blocked IPv4 ranges, and does not block special-use ranges such as 100.64.0.0/10 (CGNAT, RFC 6598). A hostname that resolves to an IPv4-mapped IPv6 address therefore passes validation and the request reaches the embedded internal IPv4 endpoint. This affects all AutoGPT Platform deployments. This vulnerability is fixed in 0.6.52.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-56663
EUVD
EUVD-2026-39798
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
significant_gravitas autogpt to 0.6.52 (exc)
significant_gravitas autogpt 0.6.52
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows an authenticated user to bypass SSRF protections and access internal network services, potentially leading to unauthorized information disclosure and further exploitation.

Such unauthorized access and potential data breaches could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over access to sensitive data and internal systems.

Specifically, the compromise of confidentiality, integrity, and availability of internal services as indicated by the CVSS score (8.5) suggests a risk of violating data protection and privacy requirements mandated by these regulations.

Executive Summary

This vulnerability affects the AutoGPT platform versions prior to 0.6.52. It allows an authenticated user to bypass Server-Side Request Forgery (SSRF) protections in the SendWebRequestBlock feature. The root cause is that the IP validation function does not properly normalize IPv4-mapped IPv6 addresses before checking them against blocked IPv4 ranges. Because of this, a hostname resolving to such an IPv6 address can bypass the protections and reach internal network services that should be restricted.

Additionally, the function does not block the Carrier-Grade NAT (CGNAT) IP range 100.64.0.0/10, which further enables access to internal services. An attacker can exploit this by registering a domain with an AAAA record pointing to an IPv4-mapped IPv6 address of an internal target, causing the platform to connect to internal IPv4 endpoints despite protections.

Impact Analysis

This vulnerability can have serious impacts including unauthorized access to internal network services that are meant to be protected. Exploiting this flaw can lead to information disclosure, allowing attackers to retrieve sensitive data from internal endpoints.

Furthermore, it can affect the integrity and availability of the system by enabling attackers to interact with internal services in unintended ways, potentially leading to further exploitation or disruption of services.

Detection Guidance

Detection of this vulnerability involves identifying whether the AutoGPT platform is resolving hostnames to IPv4-mapped IPv6 addresses and bypassing SSRF protections. You can monitor network traffic for requests to internal IP ranges, especially those in the CGNAT range 100.64.0.0/10 or other private IP ranges that should be blocked.

Commands to help detect exploitation attempts or presence of the vulnerability might include:

  • Using network monitoring tools like tcpdump or Wireshark to capture outgoing requests from AutoGPT to internal IP addresses, e.g., `tcpdump -i any host 100.64.0.0/10`
  • Checking DNS resolutions for AAAA records that map to IPv4-mapped IPv6 addresses, e.g., using `dig AAAA <hostname>` or `host -t AAAA <hostname>`
  • Reviewing application logs for requests sent to internal IP addresses or unusual hostnames resolving to IPv4-mapped IPv6 addresses.

Since the vulnerability involves the function `_is_ip_blocked()` failing to normalize IPv4-mapped IPv6 addresses, inspecting the source code or enabling debug logging around this function may also help detect attempts to exploit this issue.

Mitigation Strategies

The primary mitigation step is to upgrade the AutoGPT platform to version 0.6.52 or later, where the vulnerability is fixed by normalizing IPv4-mapped IPv6 addresses before validation and adding the CGNAT range 100.64.0.0/10 to the blocklist.

If immediate upgrade is not possible, consider the following temporary mitigations:

  • Restrict authenticated user access to the SendWebRequestBlock feature or disable it temporarily to prevent SSRF exploitation.
  • Implement network-level controls such as firewall rules to block outgoing requests from the AutoGPT platform to internal IP ranges, including CGNAT and private IP spaces.
  • Monitor and audit logs for suspicious requests to internal IP addresses and investigate any anomalies.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56663. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart