CVE-2026-33233 Overview
CVE-2026-33233 is an insecure deserialization vulnerability [CWE-94] in AutoGPT, a workflow automation platform for creating, deploying, and managing continuous AI agents. The flaw affects AutoGPT platform versions 0.6.34 through 0.6.51. The backend deserializes Redis cache bytes using pickle.loads without integrity or authenticity checks. An attacker able to poison a shared-cache key in Redis can execute arbitrary commands in the backend container context. Significant-Gravitas released version 0.6.52 to remediate the issue.
Critical Impact
Successful exploitation grants arbitrary command execution inside the AutoGPT backend container, compromising confidentiality, integrity, and availability of the AI agent platform.
Affected Products
- AutoGPT platform version 0.6.34
- AutoGPT platform versions 0.6.35 through 0.6.50
- AutoGPT platform version 0.6.51
Discovery Timeline
- 2026-05-19 - CVE-2026-33233 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-33233
Vulnerability Analysis
The AutoGPT backend uses Redis as a shared cache layer between platform components. The write path serializes Python objects using pickle.dumps(...) and stores the resulting bytes in Redis. The read path retrieves those bytes and invokes pickle.loads(...) directly on the values.
No HMAC, digital signature, or strict schema validation gates the deserialization. Python's pickle module is documented as unsafe for untrusted input because deserialization can invoke arbitrary callables via the __reduce__ protocol. When an attacker controls the byte stream, they control the code that runs during unpickling.
The issue is categorized under [CWE-94: Improper Control of Generation of Code]. Exploitation requires high privileges and adjacent network access to the Redis instance, which raises attack complexity but does not eliminate risk in shared or misconfigured deployments.
Root Cause
The backend treats Redis as a trusted boundary. It does not authenticate cached payloads before deserializing them. Any actor that can write to a shared cache key, whether through Redis exposure, credential reuse, or a co-tenant compromise, can inject a malicious pickle payload. The next read of that key triggers code execution inside the AutoGPT backend process.
Attack Vector
The attacker first obtains write access to a Redis key consumed by the AutoGPT backend. They craft a pickle payload whose __reduce__ method returns a callable such as os.system with attacker-chosen arguments. They write the payload bytes to the targeted cache key. When the AutoGPT backend reads the key and calls pickle.loads, the embedded callable executes inside the backend container, yielding command execution with the privileges of the backend process. See the GitHub Security Advisory for additional technical context.
Detection Methods for CVE-2026-33233
Indicators of Compromise
- Unexpected child processes spawned by the AutoGPT backend container, such as sh, bash, curl, wget, or python invoked outside normal workflow execution.
- Outbound network connections from the backend container to unfamiliar IP addresses or domains shortly after Redis read activity.
- Redis keys containing byte sequences starting with the pickle opcode \\x80 followed by data referencing os, subprocess, or posix modules.
Detection Strategies
- Monitor process lineage on AutoGPT backend hosts and flag any non-Python child process descending from the backend worker.
- Inspect Redis traffic for SET operations against AutoGPT cache keys originating from unexpected client IPs.
- Apply static analysis or runtime hooks to detect calls to pickle.loads on data sourced from external systems.
Monitoring Recommendations
- Enable Redis ACL logging and audit all clients writing to AutoGPT-managed namespaces.
- Forward backend container stdout, stderr, and audit logs to a centralized analytics platform for behavioral baselining.
- Alert on shell or interpreter execution inside backend containers, since the AutoGPT runtime should not spawn interactive shells.
How to Mitigate CVE-2026-33233
Immediate Actions Required
- Upgrade the AutoGPT platform to version 0.6.52 or later, which removes the unsafe pickle.loads usage on cached Redis values.
- Restrict Redis network exposure to the AutoGPT backend only and require authentication on every connection.
- Rotate Redis credentials and audit access logs for unauthorized writes to cache keys used by AutoGPT.
Patch Information
Significant-Gravitas resolved the vulnerability in AutoGPT platform 0.6.52. Release details are available in the GitHub Release Note. Operators running any version from 0.6.34 through 0.6.51 should upgrade without delay.
Workarounds
- Place Redis on an isolated network segment reachable only by trusted AutoGPT components.
- Enforce Redis requirepass and TLS, and disable dangerous commands for non-administrative clients.
- If immediate upgrade is not possible, flush and recreate any shared-cache keys after restricting write access to reduce the window for payload injection.
# Configuration example: restrict Redis access and require auth
# /etc/redis/redis.conf
bind 10.0.0.10 127.0.0.1
protected-mode yes
requirepass <strong-random-secret>
rename-command FLUSHALL ""
rename-command CONFIG ""
# Restart Redis after applying changes
systemctl restart redis-server
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
