CVE-2026-24780 — HIGH (CVSS 8.8) AI Security Vulnerability

Q: Is CVE-2026-24780 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-24780, increasing the risk of exploitation.

Q: How to fix CVE-2026-24780?

1. PATCH: Upgrade to autogpt-platform-beta-v0.6.44 or later immediately—no safe workaround exists that preserves full functionality. 2. QUICK WIN: Disable Supabase public signup to require attackers to have a pre-existing account while patching is underway. 3. NETWORK: Restrict AutoGPT backend API access to trusted networks; place behind VPN or IP allowlist if public exposure is not required. 4. ROTATE CREDENTIALS: After patching, rotate all API keys, LLM provider tokens (OpenAI, Anthropic), and integration credentials stored in or accessible from the platform—assume compromise if unpatched instances were internet-facing. 5. DETECT: Search web and API access logs for requests to block execution endpoints (external/v1/routes.py L79-93 and features/v1.py L1408-1424) using the BlockInstallationBlock UUID; unexpected executions by non-admin users are IOCs. 6. AUDIT FILESYSTEM: Review server filesystem for unexpected Python files written by the platform post-exploit. 7. POST-PATCH: Audit user accounts for unauthorized self-registrations and revoke as needed.

Q: What systems are affected by CVE-2026-24780?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI orchestration platforms, self-hosted AI deployments, API gateways for AI agents.

Q: What is the CVSS score for CVE-2026-24780?

CVE-2026-24780 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.12%.

CISO Take

A critical RCE vulnerability in AutoGPT Platform allows any authenticated user—including self-registered attackers in default Supabase deployments—to execute arbitrary Python code on your server by invoking a disabled block that bypasses authorization checks. Patch immediately to v0.6.44+, disable public signup, and rotate all credentials and API keys stored in or accessible from the platform. If self-hosting AutoGPT in production, treat this as an active incident until patched and audited.

Risk Assessment

Effective risk is critical despite the CVSS 8.8 score. In default self-hosted deployments with Supabase signup enabled, the bar for exploitation drops to near-zero—any internet-accessible AutoGPT instance is vulnerable to effectively unauthenticated RCE requiring only a free account registration. Even with signup disabled, a single compromised low-privilege account yields full server control. The low attack complexity, no user interaction requirement, and network accessibility make this trivially exploitable at scale. EPSS of 0.00103 reflects early disclosure, not low exploitability—the attack path is straightforward and the vulnerable code is public.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
agpt	pip	<= 0.2.2	No patch
autogpt_platform	—	—	No patch

Severity & Risk

CVSS 3.1

8.8 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 30% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

Recommended Action

7 steps

PATCH

Upgrade to autogpt-platform-beta-v0.6.44 or later immediately—no safe workaround exists that preserves full functionality.
QUICK WIN

Disable Supabase public signup to require attackers to have a pre-existing account while patching is underway.
NETWORK

Restrict AutoGPT backend API access to trusted networks; place behind VPN or IP allowlist if public exposure is not required.
ROTATE CREDENTIALS

After patching, rotate all API keys, LLM provider tokens (OpenAI, Anthropic), and integration credentials stored in or accessible from the platform—assume compromise if unpatched instances were internet-facing.
DETECT

Search web and API access logs for requests to block execution endpoints (external/v1/routes.py L79-93 and features/v1.py L1408-1424) using the BlockInstallationBlock UUID; unexpected executions by non-admin users are IOCs.
AUDIT FILESYSTEM

Review server filesystem for unexpected Python files written by the platform post-exploit.
POST-PATCH: Audit user accounts for unauthorized self-registrations and revoke as needed.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Auth Bypass Agent Framework API AML.T0012 - Valid Accounts AML.T0021 - Establish Accounts AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0072 - Reverse Shell

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.2.2 - AI System Security A.6.2.4 - AI system access control A.8.4 - AI System Lifecycle Security A.9.4 - AI system security

NIST AI RMF

GOVERN 1.1 - Policies, Processes and Procedures for AI Risk GOVERN 1.7 - Processes and procedures are in place for decommissioning and phasing out AI systems safely MANAGE 2.2 - Mechanisms to Respond to and Recover from AI Risks

OWASP LLM Top 10

LLM06 - Excessive Agency LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-24780?

A critical RCE vulnerability in AutoGPT Platform allows any authenticated user—including self-registered attackers in default Supabase deployments—to execute arbitrary Python code on your server by invoking a disabled block that bypasses authorization checks. Patch immediately to v0.6.44+, disable public signup, and rotate all credentials and API keys stored in or accessible from the platform. If self-hosting AutoGPT in production, treat this as an active incident until patched and audited.

Is CVE-2026-24780 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-24780, increasing the risk of exploitation.

How to fix CVE-2026-24780?

1. PATCH: Upgrade to autogpt-platform-beta-v0.6.44 or later immediately—no safe workaround exists that preserves full functionality. 2. QUICK WIN: Disable Supabase public signup to require attackers to have a pre-existing account while patching is underway. 3. NETWORK: Restrict AutoGPT backend API access to trusted networks; place behind VPN or IP allowlist if public exposure is not required. 4. ROTATE CREDENTIALS: After patching, rotate all API keys, LLM provider tokens (OpenAI, Anthropic), and integration credentials stored in or accessible from the platform—assume compromise if unpatched instances were internet-facing. 5. DETECT: Search web and API access logs for requests to block execution endpoints (external/v1/routes.py L79-93 and features/v1.py L1408-1424) using the BlockInstallationBlock UUID; unexpected executions by non-admin users are IOCs. 6. AUDIT FILESYSTEM: Review server filesystem for unexpected Python files written by the platform post-exploit. 7. POST-PATCH: Audit user accounts for unauthorized self-registrations and revoke as needed.

What systems are affected by CVE-2026-24780?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI orchestration platforms, self-hosted AI deployments, API gateways for AI agents.

What is the CVSS score for CVE-2026-24780?

CVE-2026-24780 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.12%.

Technical Details

NVD Description

AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.44, AutoGPT Platform's block execution endpoints (both main web API and external API) allow executing blocks by UUID without checking the `disabled` flag. Any authenticated user can execute the disabled `BlockInstallationBlock`, which writes arbitrary Python code to the server filesystem and executes it via `__import__()`, achieving Remote Code Execution. In default self-hosted deployments where Supabase signup is enabled, an attacker can self-register; if signup is disabled (e.g., hosted), the attacker needs an existing account. autogpt-platform-beta-v0.6.44 contains a fix.

Exploitation Scenario

An attacker identifies a publicly accessible self-hosted AutoGPT Platform instance. In the default configuration with Supabase signup enabled, the attacker self-registers a free account in seconds. Using the authenticated session, the attacker calls the block execution API endpoint with the well-known UUID of the disabled BlockInstallationBlock—a UUID discoverable directly from the open-source codebase on GitHub without any prior system access. The attacker embeds a Python reverse shell or credential-harvesting payload; the platform writes this code to the server filesystem and executes it via Python's __import__() function, achieving OS-level code execution. The attacker then exfiltrates all stored LLM provider API keys, cloud credentials, and agent workflow configurations, establishes persistence, and pivots into connected downstream services. The entire attack requires no AI/ML expertise—only basic HTTP API interaction and knowledge of the public GitHub repository.