CVE-2026-24780
📋 TL;DR
This vulnerability allows authenticated users in AutoGPT Platform to execute disabled BlockInstallationBlock components, which write arbitrary Python code to the server filesystem and execute it via __import__(), leading to remote code execution. Affected systems are self-hosted AutoGPT Platform deployments where attackers can self-register if signup is enabled, or need existing accounts if signup is disabled.
💻 Affected Systems
- AutoGPT Platform
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise allowing attacker to execute arbitrary commands, access sensitive data, install persistent backdoors, or pivot to other systems.
Likely Case
Attacker gains shell access to the AutoGPT server, potentially compromising AI workflows, stealing credentials, or using the server for further attacks.
If Mitigated
Limited impact if proper network segmentation, least privilege, and monitoring are in place to contain the breach.
🎯 Exploit Status
Exploitation requires authentication but is straightforward once authenticated. The vulnerability is in public code repositories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: autogpt-platform-beta-v0.6.44
Vendor Advisory: https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/api/features/v1.py
Restart Required: Yes
Instructions:
1. Update AutoGPT Platform to version autogpt-platform-beta-v0.6.44 or later. 2. Restart the AutoGPT service. 3. Verify the fix by checking that disabled blocks cannot be executed.
🔧 Temporary Workarounds
Disable Block Execution Endpoints
allTemporarily disable the vulnerable block execution endpoints until patching is complete.
# Modify API configuration to disable /api/external/v1/execute and /api/features/v1/execute endpoints
Disable User Registration
allIf using self-hosted deployment, disable Supabase signup to prevent attacker self-registration.
# Set SUPABASE_SIGNUP_ENABLED=false in environment configuration
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the AutoGPT API endpoints.
- Enable detailed logging and monitoring for block execution attempts, especially for disabled blocks.
🔍 How to Verify
Check if Vulnerable:
Check if AutoGPT Platform version is earlier than autogpt-platform-beta-v0.6.44 by examining the version in deployment configuration or running version check command.Check Version:
Check the version in your AutoGPT deployment configuration file or run: grep -r "version" /path/to/autogpt/config/Verify Fix Applied:
After updating, attempt to execute a disabled BlockInstallationBlock via API; it should be rejected with proper authorization error.📡 Detection & Monitoring
Log Indicators:
- API logs showing execution attempts on disabled blocks, especially BlockInstallationBlock
- Unexpected Python code execution or file write operations in server logs
Network Indicators:
- Unusual outbound connections from AutoGPT server
- HTTP POST requests to /api/external/v1/execute or /api/features/v1/execute endpoints
SIEM Query:
source="autogpt_logs" AND (message="*execute*disabled*block*" OR message="*BlockInstallationBlock*executed*")🔗 References
- https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/api/external/v1/routes.py#L79-L93
- https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/api/features/v1.py#L1408-L1424
- https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/api/features/v1.py#L355-L395
- https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/blocks/block.py#L15-L78
- https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/data/block.py#L459
- https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-r277-3xc5-c79v
