CVE-2026-33232 Overview
CVE-2026-33232 is an unauthenticated denial-of-service vulnerability in AutoGPT, a workflow automation platform for building and managing continuous AI agents. The flaw affects versions 0.4.2 through 0.6.51 and is tracked as uncontrolled resource consumption [CWE-400]. The download_agent_file endpoint creates persistent temporary files for every request but never deletes them after serving the response. Unauthenticated attackers can issue repeated requests to exhaust the server's disk space, triggering No space left on device errors that take down the database and other backend services. The issue is patched in version 0.6.52.
Critical Impact
An unauthenticated remote attacker can render the entire AutoGPT Platform backend unavailable to all users by exhausting server disk space through repeated calls to a single endpoint.
Affected Products
- AutoGPT Platform versions 0.4.2 through 0.6.51
- Significant-Gravitas AutoGPT backend deployments exposing the download_agent_file endpoint
- Self-hosted AutoGPT instances prior to autogpt-platform-beta-v0.6.52
Discovery Timeline
- 2026-05-19 - CVE-2026-33232 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-33232
Vulnerability Analysis
The vulnerability resides in the download_agent_file endpoint of the AutoGPT Platform backend. The endpoint allocates a persistent temporary file on disk for each incoming request to stage the agent file before delivery. After the response is served, the handler fails to release or unlink the temporary file. Each unauthenticated request therefore leaves a permanent artifact on the server's filesystem.
Because the endpoint requires no authentication, an attacker does not need credentials, tokens, or prior reconnaissance to reach the vulnerable code path. Sustained request volume causes the storage volume backing the temporary directory to fill. Once the disk is full, the PostgreSQL database and other backend services begin failing with No space left on device errors. The result is a complete outage of the AutoGPT Platform for every tenant of the affected instance.
Root Cause
The root cause is missing cleanup logic in the file-serving handler. Temporary files created during request handling are never deleted in a finally block, by a context manager, or by a background reaper. This is a classic uncontrolled resource consumption pattern where attacker-controlled request volume translates directly into permanent server-side state.
Attack Vector
Exploitation is performed over the network against the AutoGPT Platform HTTP API. An attacker scripts repeated HTTP requests to the download_agent_file endpoint, optionally in parallel, until the target's disk fills. No authentication, user interaction, or special tooling is required. The attack scales linearly with available bandwidth and the size of the temporary files produced per request.
A detailed description is available in the GitHub Security Advisory GHSA-374w-2pxq-c9jp.
Detection Methods for CVE-2026-33232
Indicators of Compromise
- Rapid, repeated unauthenticated requests to the download_agent_file endpoint from one or few source IPs
- Sustained growth of the temporary file directory used by the AutoGPT backend without corresponding cleanup
- Database or backend service errors referencing No space left on device
- Disk utilization on the AutoGPT host trending toward 100% with no legitimate workload change
Detection Strategies
- Alert on high request rates to the download_agent_file route in web server, reverse proxy, or API gateway logs
- Monitor filesystem inode and capacity metrics on the AutoGPT host and trigger alerts on abnormal growth rates
- Correlate spikes in 5xx responses or database connection failures with disk capacity thresholds
Monitoring Recommendations
- Instrument the AutoGPT backend with disk usage metrics exported to your observability stack
- Track per-source-IP request counts to authentication-free endpoints and apply anomaly detection
- Forward AutoGPT and reverse proxy access logs to a centralized log platform for retention and search
How to Mitigate CVE-2026-33232
Immediate Actions Required
- Upgrade AutoGPT Platform to version 0.6.52 or later, which contains the official fix
- Restrict network exposure of the AutoGPT backend so the download_agent_file endpoint is not reachable from untrusted networks
- Apply rate limiting at the reverse proxy or API gateway for the affected endpoint until patching is complete
- Audit the temporary file directory on AutoGPT hosts and remove orphaned files generated before the patch
Patch Information
The maintainers patched this issue in autogpt-platform-beta-v0.6.52. Release details are available in the AutoGPT GitHub Release Notes. Operators should redeploy backend services from the patched release and verify that temporary files are released after download_agent_file requests complete.
Workarounds
- Place the AutoGPT backend behind authentication at the reverse proxy layer until upgrade is possible
- Enforce aggressive rate limits and per-IP quotas on the download_agent_file route
- Schedule a cron job or systemd timer to periodically purge stale files from the AutoGPT temporary directory
- Mount the temporary directory on a dedicated volume with quotas so exhaustion does not impact the database volume
# Example nginx rate-limit snippet for the affected endpoint
limit_req_zone $binary_remote_addr zone=autogpt_dl:10m rate=5r/m;
location /download_agent_file {
limit_req zone=autogpt_dl burst=5 nodelay;
proxy_pass http://autogpt_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
