Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-33235

CVE-2026-33235: AutoGPT DoS Vulnerability via Templates

CVE-2026-33235 is a Denial of Service flaw in AutoGPT that allows attackers to exhaust server resources through computationally expensive expressions. This article covers technical details, affected versions, and mitigation steps.

Published:

CVE-2026-33235 Overview

CVE-2026-33235 affects AutoGPT, an open-source workflow automation platform for building and operating continuous artificial intelligence agents. The Fill Text Template block accepts user-supplied Jinja2 expressions and renders them through a SandboxedEnvironment. The sandbox blocks attribute access such as __class__ but does not constrain expression complexity or execution time. An authenticated user can submit computationally expensive Jinja2 or Python expressions that exhaust CPU and memory, hanging or crashing the host. The flaw is fixed in version 0.6.52.

Critical Impact

An authenticated attacker can trigger sustained CPU and memory exhaustion in shared or self-hosted AutoGPT deployments, producing a service-wide outage and "noisy neighbor" disruption that requires manual administrative recovery.

Affected Products

  • AutoGPT Platform versions prior to 0.6.52
  • Self-hosted AutoGPT deployments exposing the Fill Text Template block
  • Multi-tenant AutoGPT environments sharing compute resources

Discovery Timeline

  • 2026-06-24 - CVE-2026-33235 published to NVD
  • 2026-06-24 - Last updated in NVD database

Technical Details for CVE-2026-33235

Vulnerability Analysis

The weakness is classified as [CWE-400] Uncontrolled Resource Consumption. The Fill Text Template block renders user input with Jinja2 inside a SandboxedEnvironment. The sandbox is designed to block dangerous attribute access and reflection paths, but it does not enforce evaluation timeouts, recursion depth limits, output size caps, or CPU and memory quotas.

Because Jinja2 supports loops, range generation, and string multiplication, an attacker can craft a short expression that expands into billions of operations or gigabytes of intermediate state. The block evaluates in the main worker process, so a single malicious template stalls the request pipeline for every tenant served by that worker.

Recovery typically requires an administrator to kill the offending worker or restart the platform. Queued jobs from other users fail or stall during the outage.

Root Cause

The sandbox enforces attribute and import restrictions but treats compute as unbounded. There is no wall-clock timeout, no MAX_ITERATIONS style guard on Jinja2 loops, and no resource limit on the rendering process. Trusting the sandbox to be "safe" overlooks the algorithmic complexity dimension entirely.

Attack Vector

Exploitation requires network access to the AutoGPT API and a low-privilege authenticated account, consistent with the CVSS scope-changed availability impact. The attacker creates or edits an agent containing a Fill Text Template block whose template body uses nested loops, large range() expansions, or repeated string concatenation. Triggering the block forces the server to evaluate the payload, consuming CPU and memory until the process becomes unresponsive or the operating system terminates it. Repeated submissions sustain the outage.

No verified public exploit code is associated with this advisory. The GitHub Security Advisory GHSA-ppw9-h7rv-gwq9 describes the conditions and the fix in version 0.6.52.

Detection Methods for CVE-2026-33235

Indicators of Compromise

  • Sustained CPU utilization at or near 100% on AutoGPT worker processes without a corresponding rise in legitimate workflow throughput.
  • Resident memory growth in the AutoGPT backend process followed by out-of-memory kills logged by the host or container runtime.
  • API requests creating or executing agents that contain Fill Text Template blocks with unusually large loop counts, range() arguments, or repeated multiplication operators in the template body.

Detection Strategies

  • Inspect agent and block definitions for Jinja2 templates containing nested {% for %} loops, range() with arguments above a sane threshold, or string multiplication patterns such as 'x' * 10**7.
  • Correlate authenticated user activity with worker process resource spikes to identify the account that submitted the offending template.
  • Alert on AutoGPT worker restarts or container OOM events that occur shortly after a Fill Text Template execution event in application logs.

Monitoring Recommendations

  • Export AutoGPT application logs and host metrics into a centralized analytics platform and build dashboards that join template-block execution events with CPU and memory telemetry.
  • Track per-user rates of block creation and execution to baseline normal behavior and flag anomalous bursts.
  • Monitor for repeated 5xx responses and request-queue backpressure on the AutoGPT API as secondary signals of an ongoing resource exhaustion attempt.

How to Mitigate CVE-2026-33235

Immediate Actions Required

  • Upgrade AutoGPT to version 0.6.52 or later, which contains the upstream fix for the Fill Text Template block.
  • Audit existing agents for Fill Text Template blocks containing large loops, range() expansions, or repeated multiplication, and disable or remove suspicious entries.
  • Restrict who can create or edit agents in multi-tenant deployments until the upgrade is complete.

Patch Information

The issue is resolved in AutoGPT Platform autogpt-platform-beta-v0.6.52. Release details are documented in the AutoGPT v0.6.52 release notes and the GitHub Security Advisory GHSA-ppw9-h7rv-gwq9.

Workarounds

  • Run AutoGPT workers in containers with hard cpu and memory limits so a single malicious template cannot starve the host.
  • Place the AutoGPT API behind a reverse proxy that enforces per-user request rate limits and execution timeouts.
  • Temporarily disable the Fill Text Template block in environments where untrusted users can author agents until the patch is applied.
bash
# Example container resource limits for a self-hosted AutoGPT worker
docker run -d \
  --name autogpt-worker \
  --cpus="2.0" \
  --memory="2g" \
  --memory-swap="2g" \
  --pids-limit=256 \
  --restart=on-failure \
  ghcr.io/significant-gravitas/autogpt:0.6.52

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.