CVE-2026-24780: agpt Code Injection enables RCE

Q: Is CVE-2026-24780 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-24780, increasing the risk of exploitation.

Q: How to fix CVE-2026-24780?

1. PATCH: Upgrade to autogpt-platform-beta-v0.6.44 or later immediately—no safe workaround exists that preserves full functionality. 2. QUICK WIN: Disable Supabase public signup to require attackers to have a pre-existing account while patching is underway. 3. NETWORK: Restrict AutoGPT backend API access to trusted networks; place behind VPN or IP allowlist if public exposure is not required. 4. ROTATE CREDENTIALS: After patching, rotate all API keys, LLM provider tokens (OpenAI, Anthropic), and integration credentials stored in or accessible from the platform—assume compromise if unpatched instances were internet-facing. 5. DETECT: Search web and API access logs for requests to block execution endpoints (external/v1/routes.py L79-93 and features/v1.py L1408-1424) using the BlockInstallationBlock UUID; unexpected executions by non-admin users are IOCs. 6. AUDIT FILESYSTEM: Review server filesystem for unexpected Python files written by the platform post-exploit. 7. POST-PATCH: Audit user accounts for unauthorized self-registrations and revoke as needed.

Q: What systems are affected by CVE-2026-24780?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI orchestration platforms, self-hosted AI deployments, API gateways for AI agents.

Q: What is the CVSS score for CVE-2026-24780?

CVE-2026-24780 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 1.15%.

CISO Take

A critical RCE vulnerability in AutoGPT Platform allows any authenticated user—including self-registered attackers in default Supabase deployments—to execute arbitrary Python code on your server by invoking a disabled block that bypasses authorization checks. Patch immediately to v0.6.44+, disable public signup, and rotate all credentials and API keys stored in or accessible from the platform. If self-hosting AutoGPT in production, treat this as an active incident until patched and audited.

What is the risk?

Effective risk is critical despite the CVSS 8.8 score. In default self-hosted deployments with Supabase signup enabled, the bar for exploitation drops to near-zero—any internet-accessible AutoGPT instance is vulnerable to effectively unauthenticated RCE requiring only a free account registration. Even with signup disabled, a single compromised low-privilege account yields full server control. The low attack complexity, no user interaction requirement, and network accessibility make this trivially exploitable at scale. EPSS of 0.00103 reflects early disclosure, not low exploitability—the attack path is straightforward and the vulnerable code is public.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
agpt	pip	<= 0.2.2	No patch
autogpt_platform	—	—	No patch

How severe is it?

CVSS 3.1

8.8 / 10

EPSS

1.1%

chance of exploitation in 30 days

Higher than 63% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

What should I do?

7 steps

PATCH

Upgrade to autogpt-platform-beta-v0.6.44 or later immediately—no safe workaround exists that preserves full functionality.
QUICK WIN

Disable Supabase public signup to require attackers to have a pre-existing account while patching is underway.
NETWORK

Restrict AutoGPT backend API access to trusted networks; place behind VPN or IP allowlist if public exposure is not required.
ROTATE CREDENTIALS

After patching, rotate all API keys, LLM provider tokens (OpenAI, Anthropic), and integration credentials stored in or accessible from the platform—assume compromise if unpatched instances were internet-facing.
DETECT

Search web and API access logs for requests to block execution endpoints (external/v1/routes.py L79-93 and features/v1.py L1408-1424) using the BlockInstallationBlock UUID; unexpected executions by non-admin users are IOCs.
AUDIT FILESYSTEM

Review server filesystem for unexpected Python files written by the platform post-exploit.
POST-PATCH: Audit user accounts for unauthorized self-registrations and revoke as needed.

What does CISA's SSVC say?

Decision Attend

Exploitation poc

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Auth Bypass Agent Framework API AML.T0012 - Valid Accounts AML.T0021 - Establish Accounts AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0072 - Reverse Shell

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.2.2 - AI System Security A.6.2.4 - AI system access control A.8.4 - AI System Lifecycle Security A.9.4 - AI system security

NIST AI RMF

GOVERN 1.1 - Policies, Processes and Procedures for AI Risk GOVERN 1.7 - Processes and procedures are in place for decommissioning and phasing out AI systems safely MANAGE 2.2 - Mechanisms to Respond to and Recover from AI Risks

OWASP LLM Top 10

LLM06 - Excessive Agency LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-24780?

A critical RCE vulnerability in AutoGPT Platform allows any authenticated user—including self-registered attackers in default Supabase deployments—to execute arbitrary Python code on your server by invoking a disabled block that bypasses authorization checks. Patch immediately to v0.6.44+, disable public signup, and rotate all credentials and API keys stored in or accessible from the platform. If self-hosting AutoGPT in production, treat this as an active incident until patched and audited.

Is CVE-2026-24780 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-24780, increasing the risk of exploitation.

How to fix CVE-2026-24780?

1. PATCH: Upgrade to autogpt-platform-beta-v0.6.44 or later immediately—no safe workaround exists that preserves full functionality. 2. QUICK WIN: Disable Supabase public signup to require attackers to have a pre-existing account while patching is underway. 3. NETWORK: Restrict AutoGPT backend API access to trusted networks; place behind VPN or IP allowlist if public exposure is not required. 4. ROTATE CREDENTIALS: After patching, rotate all API keys, LLM provider tokens (OpenAI, Anthropic), and integration credentials stored in or accessible from the platform—assume compromise if unpatched instances were internet-facing. 5. DETECT: Search web and API access logs for requests to block execution endpoints (external/v1/routes.py L79-93 and features/v1.py L1408-1424) using the BlockInstallationBlock UUID; unexpected executions by non-admin users are IOCs. 6. AUDIT FILESYSTEM: Review server filesystem for unexpected Python files written by the platform post-exploit. 7. POST-PATCH: Audit user accounts for unauthorized self-registrations and revoke as needed.

What systems are affected by CVE-2026-24780?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI orchestration platforms, self-hosted AI deployments, API gateways for AI agents.

What is the CVSS score for CVE-2026-24780?

CVE-2026-24780 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 1.15%.

What is the AI security impact?

Affected AI Architectures

agent frameworksAI orchestration platformsself-hosted AI deploymentsAPI gateways for AI agents

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0021 Establish Accounts

AML.T0025 Exfiltration via Cyber Means

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0053 AI Agent Tool Invocation

AML.T0072 Reverse Shell

Compliance Controls Affected

EU AI Act: Art. 15, Article 15

ISO 42001: A.6.2.2, A.6.2.4, A.8.4, A.9.4

NIST AI RMF: GOVERN 1.1, GOVERN 1.7, MANAGE 2.2

OWASP LLM Top 10: LLM06, LLM07, LLM08

What are the technical details?

Original Advisory

AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.44, AutoGPT Platform's block execution endpoints (both main web API and external API) allow executing blocks by UUID without checking the `disabled` flag. Any authenticated user can execute the disabled `BlockInstallationBlock`, which writes arbitrary Python code to the server filesystem and executes it via `__import__()`, achieving Remote Code Execution. In default self-hosted deployments where Supabase signup is enabled, an attacker can self-register; if signup is disabled (e.g., hosted), the attacker needs an existing account. autogpt-platform-beta-v0.6.44 contains a fix.

Exploitation Scenario

An attacker identifies a publicly accessible self-hosted AutoGPT Platform instance. In the default configuration with Supabase signup enabled, the attacker self-registers a free account in seconds. Using the authenticated session, the attacker calls the block execution API endpoint with the well-known UUID of the disabled BlockInstallationBlock—a UUID discoverable directly from the open-source codebase on GitHub without any prior system access. The attacker embeds a Python reverse shell or credential-harvesting payload; the platform writes this code to the server filesystem and executes it via Python's __import__() function, achieving OS-level code execution. The attacker then exfiltrates all stored LLM provider API keys, cloud credentials, and agent workflow configurations, establishes persistence, and pivots into connected downstream services. The entire attack requires no AI/ML expertise—only basic HTTP API interaction and knowledge of the public GitHub repository.

Weaknesses (CWE)

CWE-276 Incorrect Default Permissions Primary CWE-276 Incorrect Default Permissions Primary CWE-863 Incorrect Authorization Primary CWE-863 Incorrect Authorization Primary CWE-94 Improper Control of Generation of Code ('Code Injection') Primary CWE-94 Improper Control of Generation of Code ('Code Injection') Primary

CWE-276 — Incorrect Default Permissions: During installation, installed file permissions are set to allow anyone to modify those files.

[Architecture and Design, Operation] The architecture needs to access and modification attributes for files to only those users who actually require those actions.
[Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Source: MITRE CWE corpus.