CVE-2026-24780

AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.44, AutoGPT Platform's block execution endpoints (both main web API and external API) allow executing blocks by UUID without checking the `disabled` flag. Any authenticated user can execute the disabled `BlockInstallationBlock`, which writes arbitrary Python code to the server filesystem and executes it via `__import__()`, achieving Remote Code Execution. In default self-hosted deployments where Supabase signup is enabled, an attacker can self-register; if signup is disabled (e.g., hosted), the attacker needs an existing account. autogpt-platform-beta-v0.6.44 contains a fix.

An attacker identifies a publicly accessible self-hosted AutoGPT Platform instance. In the default configuration with Supabase signup enabled, the attacker self-registers a free account in seconds. Using the authenticated session, the attacker calls the block execution API endpoint with the well-known UUID of the disabled BlockInstallationBlock—a UUID discoverable directly from the open-source codebase on GitHub without any prior system access. The attacker embeds a Python reverse shell or credential-harvesting payload; the platform writes this code to the server filesystem and executes it via Python's __import__() function, achieving OS-level code execution. The attacker then exfiltrates all stored LLM provider API keys, cloud credentials, and agent workflow configurations, establishes persistence, and pivots into connected downstream services. The entire attack requires no AI/ML expertise—only basic HTTP API interaction and knowledge of the public GitHub repository.