CVE-2026-24780
- Source
- https://cve.org/CVERecord?id=CVE-2026-24780
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-24780.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-24780
- Aliases
- Published
- 2026-01-29T17:39:33.524Z
- Modified
- 2026-01-30T02:34:41.083642Z
- Severity
-
- 8.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P CVSS Calculator
- Summary
- AutoGPT is Vulnerable to RCE via Disabled Block Execution
- Details
-
AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.44, AutoGPT Platform's block execution endpoints (both main web API and external API) allow executing blocks by UUID without checking the
disabledflag. Any authenticated user can execute the disabledBlockInstallationBlock, which writes arbitrary Python code to the server filesystem and executes it via__import__(), achieving Remote Code Execution. In default self-hosted deployments where Supabase signup is enabled, an attacker can self-register; if signup is disabled (e.g., hosted), the attacker needs an existing account. autogpt-platform-beta-v0.6.44 contains a fix. - Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24780.json", "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-276", "CWE-863", "CWE-94" ] }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24780.json
- https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/api/external/v1/routes.py#L79-L93
- https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/api/features/v1.py#L1408-L1424
- https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/api/features/v1.py#L355-L395
- https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/blocks/block.py#L15-L78
- https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/data/block.py#L459
- https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-r277-3xc5-c79v
- https://nvd.nist.gov/vuln/detail/CVE-2026-24780
Affected packages
Git / github.com/significant-gravitas/autogpt
Affected versions
agbenchmark-v0.*
agbenchmark-v0.0.10
agpt-platform-beta-v0.*
agpt-platform-beta-v0.1.0
agpt-platform-beta-v0.1.1
agpt-platform-beta-v0.2.0
autogpt-platform-beta-v0.*
autogpt-platform-beta-v0.2.1
autogpt-platform-beta-v0.2.2
autogpt-platform-beta-v0.3.0
autogpt-platform-beta-v0.3.1
autogpt-platform-beta-v0.3.2
autogpt-platform-beta-v0.3.3
autogpt-platform-beta-v0.3.4
autogpt-platform-beta-v0.4.0
autogpt-platform-beta-v0.4.1
autogpt-platform-beta-v0.4.10
autogpt-platform-beta-v0.4.11
autogpt-platform-beta-v0.4.2
autogpt-platform-beta-v0.4.3
autogpt-platform-beta-v0.4.4
autogpt-platform-beta-v0.4.5
autogpt-platform-beta-v0.4.6
autogpt-platform-beta-v0.4.7
autogpt-platform-beta-v0.4.8
autogpt-platform-beta-v0.4.9
autogpt-platform-beta-v0.5.0
autogpt-platform-beta-v0.5.1
autogpt-platform-beta-v0.6.0
autogpt-platform-beta-v0.6.1
autogpt-platform-beta-v0.6.10
autogpt-platform-beta-v0.6.11
autogpt-platform-beta-v0.6.12
autogpt-platform-beta-v0.6.13
autogpt-platform-beta-v0.6.14
autogpt-platform-beta-v0.6.15
autogpt-platform-beta-v0.6.16
autogpt-platform-beta-v0.6.17
autogpt-platform-beta-v0.6.18
autogpt-platform-beta-v0.6.19
autogpt-platform-beta-v0.6.2
autogpt-platform-beta-v0.6.20
autogpt-platform-beta-v0.6.21
autogpt-platform-beta-v0.6.22
autogpt-platform-beta-v0.6.23
autogpt-platform-beta-v0.6.24
autogpt-platform-beta-v0.6.25
autogpt-platform-beta-v0.6.26
autogpt-platform-beta-v0.6.27
autogpt-platform-beta-v0.6.28
autogpt-platform-beta-v0.6.29
autogpt-platform-beta-v0.6.3
autogpt-platform-beta-v0.6.30
autogpt-platform-beta-v0.6.31
autogpt-platform-beta-v0.6.32
autogpt-platform-beta-v0.6.33
autogpt-platform-beta-v0.6.34
autogpt-platform-beta-v0.6.35
autogpt-platform-beta-v0.6.36
autogpt-platform-beta-v0.6.37
autogpt-platform-beta-v0.6.38
autogpt-platform-beta-v0.6.39
autogpt-platform-beta-v0.6.4
autogpt-platform-beta-v0.6.40
autogpt-platform-beta-v0.6.41
autogpt-platform-beta-v0.6.42
autogpt-platform-beta-v0.6.43
autogpt-platform-beta-v0.6.5
autogpt-platform-beta-v0.6.6
autogpt-platform-beta-v0.6.7
autogpt-platform-beta-v0.6.8
autogpt-platform-beta-v0.6.9
v0.*
v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.2.0
v0.2.1
v0.2.2
v0.3.0
v0.3.1
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.4.3-alpha
v0.4.4
v0.4.5