CVE-2026-24780 Overview
CVE-2026-24780 is a critical Remote Code Execution (RCE) vulnerability in the AutoGPT Platform, an AI agent automation system that enables users to create, deploy, and manage continuous artificial intelligence agents. The vulnerability exists in the block execution endpoints of both the main web API and external API, which fail to validate the disabled flag when executing blocks by UUID.
This flaw allows any authenticated user to execute the disabled BlockInstallationBlock, which can write arbitrary Python code to the server filesystem and execute it via Python's __import__() function. The vulnerability is classified under CWE-94 (Improper Control of Generation of Code - Code Injection).
Critical Impact
Authenticated attackers can achieve full Remote Code Execution on AutoGPT Platform servers by bypassing disabled block controls and executing arbitrary Python code, potentially compromising the entire host system and any connected AI agents.
Affected Products
- AutoGPT Platform versions prior to autogpt-platform-beta-v0.6.44
- Self-hosted AutoGPT deployments with Supabase signup enabled
- Hosted AutoGPT deployments where attacker has existing account credentials
Discovery Timeline
- January 29, 2026 - CVE-2026-24780 published to NVD
- January 29, 2026 - Last updated in NVD database
Technical Details for CVE-2026-24780
Vulnerability Analysis
The vulnerability stems from a missing access control check in AutoGPT Platform's block execution mechanism. The platform uses a block-based architecture where various functional blocks can be executed via API endpoints. Some blocks are intentionally disabled due to security concerns, including the BlockInstallationBlock which has dangerous code execution capabilities.
The flawed implementation allows authenticated users to directly invoke any block by its UUID through the API endpoints at /api/external/v1/routes and /api/features/v1, regardless of whether the block has been marked as disabled. This bypass enables exploitation of the BlockInstallationBlock, which was specifically disabled to prevent arbitrary code execution.
The attack surface varies based on deployment configuration. In default self-hosted deployments where Supabase signup is enabled, attackers can simply self-register an account to gain the authentication required. In hosted deployments or configurations where signup is disabled, an attacker would need to obtain existing account credentials.
Root Cause
The root cause is an improper access control implementation in the block execution endpoints. When processing block execution requests, the code retrieves the block by UUID and proceeds with execution without checking the disabled flag property. This missing validation allows execution of any block, including those explicitly marked as disabled for security reasons.
The vulnerable code paths exist in multiple locations within the backend API, specifically in the routes handler and features modules, where the disabled attribute should be checked but is not enforced before block execution proceeds.
Attack Vector
The attack leverages the network-accessible API endpoints with low complexity requirements. An attacker with valid authentication credentials can craft API requests to execute the disabled BlockInstallationBlock by specifying its UUID. This block accepts arbitrary Python code as input, writes it to the server filesystem, and then executes it using Python's dynamic import mechanism via __import__().
The exploitation chain works as follows: the attacker authenticates to the platform, identifies or knows the UUID of the BlockInstallationBlock, sends an execution request with malicious Python code payload, and the server writes and executes this code with the privileges of the AutoGPT Platform process.
The vulnerability mechanism involves the block execution flow failing to check disabled status before execution. The BlockInstallationBlock receives arbitrary code input, writes it to the filesystem, and imports it dynamically, resulting in code execution. Technical details can be found in the GitHub Security Advisory GHSA-r277-3xc5-c79v.
Detection Methods for CVE-2026-24780
Indicators of Compromise
- Unexpected API calls to block execution endpoints (/api/external/v1/ or /api/features/v1/) referencing the BlockInstallationBlock UUID
- New or modified Python files appearing in the AutoGPT server filesystem outside of normal deployment processes
- Unusual process spawning from the AutoGPT backend process, especially Python interpreters or shell commands
- Authentication events followed by block execution requests for disabled blocks in application logs
Detection Strategies
- Implement API request monitoring to detect execution attempts targeting disabled blocks by correlating block UUIDs with their disabled status
- Deploy file integrity monitoring on the AutoGPT server filesystem to detect unexpected Python file creation or modification
- Configure web application firewall rules to inspect and alert on block execution API calls with suspicious payload patterns
- Enable detailed logging for all block execution requests and implement alerting for any execution attempts against known disabled block UUIDs
Monitoring Recommendations
- Review AutoGPT Platform logs for block execution requests, particularly those targeting UUIDs associated with disabled blocks
- Monitor process creation events on servers running AutoGPT for unexpected child processes or Python code execution
- Implement network monitoring to detect unusual outbound connections from AutoGPT servers that may indicate post-exploitation activity
- Audit user account creation and authentication patterns to identify potential attacker account registration in self-hosted deployments
How to Mitigate CVE-2026-24780
Immediate Actions Required
- Upgrade AutoGPT Platform to version autogpt-platform-beta-v0.6.44 or later immediately
- Review authentication logs for any suspicious account registrations or unauthorized access attempts
- Audit server filesystems for any unexpected Python files or modifications that may indicate prior exploitation
- If immediate upgrade is not possible, restrict network access to block execution API endpoints using firewall rules or reverse proxy configurations
Patch Information
The vulnerability has been fixed in AutoGPT Platform version autogpt-platform-beta-v0.6.44. The patch adds proper validation of the disabled flag in block execution endpoints, preventing execution of disabled blocks regardless of how they are referenced.
For detailed patch information and upgrade instructions, refer to the GitHub Security Advisory GHSA-r277-3xc5-c79v.
Workarounds
- Disable public Supabase signup on self-hosted deployments to prevent attackers from self-registering accounts
- Implement network segmentation to restrict access to AutoGPT Platform API endpoints to trusted networks only
- Deploy a reverse proxy or API gateway with additional authentication and authorization controls in front of the AutoGPT backend
- If feasible, temporarily disable the external API endpoints until the platform can be upgraded to the patched version
# Example: Restrict API access via nginx reverse proxy
# Add to nginx configuration to limit block execution endpoints
location ~ ^/api/(external|features)/v1/ {
# Restrict to internal networks only until patched
allow 10.0.0.0/8;
allow 172.16.0.0/12;
allow 192.168.0.0/16;
deny all;
proxy_pass http://autogpt_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
