CVE-2026-33235 Overview
CVE-2026-33235 affects AutoGPT, an open-source workflow automation platform for building and operating continuous artificial intelligence agents. The Fill Text Template block accepts user-supplied Jinja2 expressions and renders them through a SandboxedEnvironment. The sandbox blocks attribute access such as __class__ but does not constrain expression complexity or execution time. An authenticated user can submit computationally expensive Jinja2 or Python expressions that exhaust CPU and memory, hanging or crashing the host. The flaw is fixed in version 0.6.52.
Critical Impact
An authenticated attacker can trigger sustained CPU and memory exhaustion in shared or self-hosted AutoGPT deployments, producing a service-wide outage and "noisy neighbor" disruption that requires manual administrative recovery.
Affected Products
- AutoGPT Platform versions prior to 0.6.52
- Self-hosted AutoGPT deployments exposing the Fill Text Template block
- Multi-tenant AutoGPT environments sharing compute resources
Discovery Timeline
- 2026-06-24 - CVE-2026-33235 published to NVD
- 2026-06-24 - Last updated in NVD database
Technical Details for CVE-2026-33235
Vulnerability Analysis
The weakness is classified as [CWE-400] Uncontrolled Resource Consumption. The Fill Text Template block renders user input with Jinja2 inside a SandboxedEnvironment. The sandbox is designed to block dangerous attribute access and reflection paths, but it does not enforce evaluation timeouts, recursion depth limits, output size caps, or CPU and memory quotas.
Because Jinja2 supports loops, range generation, and string multiplication, an attacker can craft a short expression that expands into billions of operations or gigabytes of intermediate state. The block evaluates in the main worker process, so a single malicious template stalls the request pipeline for every tenant served by that worker.
Recovery typically requires an administrator to kill the offending worker or restart the platform. Queued jobs from other users fail or stall during the outage.
Root Cause
The sandbox enforces attribute and import restrictions but treats compute as unbounded. There is no wall-clock timeout, no MAX_ITERATIONS style guard on Jinja2 loops, and no resource limit on the rendering process. Trusting the sandbox to be "safe" overlooks the algorithmic complexity dimension entirely.
Attack Vector
Exploitation requires network access to the AutoGPT API and a low-privilege authenticated account, consistent with the CVSS scope-changed availability impact. The attacker creates or edits an agent containing a Fill Text Template block whose template body uses nested loops, large range() expansions, or repeated string concatenation. Triggering the block forces the server to evaluate the payload, consuming CPU and memory until the process becomes unresponsive or the operating system terminates it. Repeated submissions sustain the outage.
No verified public exploit code is associated with this advisory. The GitHub Security Advisory GHSA-ppw9-h7rv-gwq9 describes the conditions and the fix in version 0.6.52.
Detection Methods for CVE-2026-33235
Indicators of Compromise
- Sustained CPU utilization at or near 100% on AutoGPT worker processes without a corresponding rise in legitimate workflow throughput.
- Resident memory growth in the AutoGPT backend process followed by out-of-memory kills logged by the host or container runtime.
- API requests creating or executing agents that contain Fill Text Template blocks with unusually large loop counts, range() arguments, or repeated multiplication operators in the template body.
Detection Strategies
- Inspect agent and block definitions for Jinja2 templates containing nested {% for %} loops, range() with arguments above a sane threshold, or string multiplication patterns such as 'x' * 10**7.
- Correlate authenticated user activity with worker process resource spikes to identify the account that submitted the offending template.
- Alert on AutoGPT worker restarts or container OOM events that occur shortly after a Fill Text Template execution event in application logs.
Monitoring Recommendations
- Export AutoGPT application logs and host metrics into a centralized analytics platform and build dashboards that join template-block execution events with CPU and memory telemetry.
- Track per-user rates of block creation and execution to baseline normal behavior and flag anomalous bursts.
- Monitor for repeated 5xx responses and request-queue backpressure on the AutoGPT API as secondary signals of an ongoing resource exhaustion attempt.
How to Mitigate CVE-2026-33235
Immediate Actions Required
- Upgrade AutoGPT to version 0.6.52 or later, which contains the upstream fix for the Fill Text Template block.
- Audit existing agents for Fill Text Template blocks containing large loops, range() expansions, or repeated multiplication, and disable or remove suspicious entries.
- Restrict who can create or edit agents in multi-tenant deployments until the upgrade is complete.
Patch Information
The issue is resolved in AutoGPT Platform autogpt-platform-beta-v0.6.52. Release details are documented in the AutoGPT v0.6.52 release notes and the GitHub Security Advisory GHSA-ppw9-h7rv-gwq9.
Workarounds
- Run AutoGPT workers in containers with hard cpu and memory limits so a single malicious template cannot starve the host.
- Place the AutoGPT API behind a reverse proxy that enforces per-user request rate limits and execution timeouts.
- Temporarily disable the Fill Text Template block in environments where untrusted users can author agents until the patch is applied.
# Example container resource limits for a self-hosted AutoGPT worker
docker run -d \
--name autogpt-worker \
--cpus="2.0" \
--memory="2g" \
--memory-swap="2g" \
--pids-limit=256 \
--restart=on-failure \
ghcr.io/significant-gravitas/autogpt:0.6.52
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

