CVE-2026-24780

HIGH WAF: Medium

CVSS 8.8 Published: 2026-01-29

CWE-94 CWE-863

AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.44, AutoGPT Platform's block execution endpoints (both main web API and external API) allow executing blocks by UUID without checking the `disabled` flag. Any authenticated user can execute the disabled `BlockInstallationBlock`, which writes arbitrary Python code to the server filesystem and executes it via `__import__()`, achieving Remote Code Execution. In default self-hosted deployments where Supabase signup is enabled, an attacker can self-register; if signup is disabled (e.g., hosted), the attacker needs an existing account. autogpt-platform-beta-v0.6.44 contains a fix.

WAF Coverage Analysis

Code Injection Medium WAF Coverage

OWASP: A03:2021 Injection

932xxx - Remote Code Execution 933xxx - PHP Injection 934xxx - Node.js / Generic Injection

Incorrect Authorization Low WAF Coverage

OWASP: A01:2021 Broken Access Control

Affected Software

Vendor	Product	Version
agpt	autogpt_platform	0.1.0 - 0.6.44

References

github.com (Product)
github.com (Product)
github.com (Product)
github.com (Product)
github.com (Product)
github.com (Exploit, Vendor Advisory)

Back to CVE Database