What is the CVSS score of CVE-2026-26020?

CVE-2026-26020 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Python are affected by CVE-2026-26020?

AutoGPT versions prior to 0.6.48 contain a critical vulnerability allowing authenticated users to execute arbitrary code on backend servers through manipulated workflow graphs.. A patch is available.

How to fix or mitigate CVE-2026-26020?

Within 24 hours: Identify all AutoGPT deployments and current version numbers; assess which systems are internet-facing or accessible to external users. Within 7 days: Apply vendor patch to upgrade all instances to version 0.6.48 or later; conduct access review to restrict AutoGPT platform access to trusted personnel only. Within 30 days: Perform security audit of AutoGPT usage logs to detect any suspicious graph deployments; implement network monitoring for unusual backend processes spawned by AutoGPT services.

Python CVE-2026-26020

HIGH

Improper Authorization (CWE-285)

2026-02-12 security-advisories@github.com

Python RCE AI / ML Autogpt Platform

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:02 vuln.today

Patch released

Feb 17, 2026 - 20:10 nvd

Patch available

CVE Published

Feb 12, 2026 - 21:16 nvd

HIGH 8.8

DescriptionNVD

AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to 0.6.48, an authenticated user could achieve Remote Code Execution (RCE) on the backend server by embedding a disabled block inside a graph. The BlockInstallationBlock - a development tool capable of writing and importing arbitrary Python code - was marked disabled=True, but graph validation did not enforce this flag. This allowed any authenticated user to bypass the restriction by including the block as a node in a graph, rather than calling the block's execution endpoint directly (which did enforce the flag). This vulnerability is fixed in 0.6.48.

AnalysisAI

Remote code execution in AutoGPT prior to version 0.6.48 allows authenticated users to execute arbitrary Python code on the backend server by embedding a disabled BlockInstallationBlock within a workflow graph, bypassing validation controls that only checked the disabled flag at direct execution endpoints. An attacker with valid credentials can exploit this to gain full control over the backend system and automate malicious workflows. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate to AutoGPT platform

Delivery

Create graph with disabled BlockInstallationBlock

Exploit

Embed arbitrary Python code in block

Execution

Submit graph for execution

Impact

Backend server executes malicious code

Access

Authenticate to AutoGPT platform

Delivery

Create graph with disabled BlockInstallationBlock

Exploit

Embed arbitrary Python code in block

Execution

Submit graph for execution

Impact

Backend server executes malicious code

Vulnerability AssessmentAI

Exploitation	Authenticated user account on AutoGPT versions prior to 0.6.48. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 8.8 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	A remote attacker (requires authentication) could exploit this vulnerability to create, deploy, and manage continuous artificial intelligence agents that automa.
Remediation	A vendor patch is available — apply it immediately. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all AutoGPT deployments and current version numbers; assess which systems are internet-facing or accessible to external users. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-43986 CRITICAL Act Now

9.9 Jun 04

Unauthenticated server-side request forgery in Tautulli versions prior to 2.17.1 allows remote attackers to coerce the T

CVE-2026-47731 CRITICAL Act Now

9.1 Jun 05

Path traversal in NASA AMMOS AIT-Core's Binary Stream Capture (BSC) component allows unauthenticated remote attackers to

CVE-2026-48031 CRITICAL Act Now

9.1 Jun 10

Authentication bypass in dhax/go-base Go REST API boilerplate (versions prior to commit cc82b974, merged May 17, 2026) a

CVE-2026-41065 HIGH This Week

8.9 Jun 04

Remote code execution in Tautulli versions prior to 2.17.1 allows attackers to achieve unauthenticated RCE on fresh inst

CVE-2026-43984 HIGH This Week

8.9 Jun 04

Stored cross-site scripting in Tautulli before 2.17.1 allows low-privilege authenticated users (including guests when gu

CVE-2026-26020 vulnerability details – vuln.today

Back

Python CVE-2026-26020

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code