Remote Code Execution in AutoGPT Platform Affected by Authentication Issues
CVE-2026-24780

8.6HIGH

Key Information:

Vendor

Significant-gravitas

Status
Autogpt
Vendor
CVE Published:
29 January 2026

What is CVE-2026-24780?

The AutoGPT Platform, which facilitates the management and deployment of AI agents, has a vulnerability affecting its block execution endpoints. An authentication oversight allows users to execute blocks by UUID without necessary checks on the 'disabled' flag. Consequently, any authenticated user can run the 'BlockInstallationBlock', leading to arbitrary code execution on the server. This poses a significant risk, especially in self-hosted deployments with Supabase signup enabled, as attackers can create accounts to exploit the flaw. Solutions have been implemented in version autogpt-platform-beta-v0.6.44.

Affected Version(s)

AutoGPT >= 0.1.0, < 0.6.44

References

https://github.com/Significant-Gravitas/AutoGPT/security/...
x_refsource_CONFIRM
https://github.com/Significant-Gravitas/AutoGPT/blob/mast...
x_refsource_MISC
https://github.com/Significant-Gravitas/AutoGPT/blob/mast...
x_refsource_MISC

CVSS V4

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.