Skip to main content

AutoGPT Platform CVE-2026-33232

| EUVDEUVD-2026-30819 HIGH
Incomplete Cleanup (CWE-459)
2026-05-19 GitHub_M
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch available
May 19, 2026 - 02:01 EUVD
Source Code Evidence Fetched
May 19, 2026 - 01:43 vuln.today
Analysis Generated
May 19, 2026 - 01:43 vuln.today

DescriptionGitHub Advisory

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Versions 0.4.2 through 0.6.51 are vulnerable to an unauthenticated Denial of Service (DoS) through the server due to uncontrolled disk space consumption. The download_agent_file endpoint creates persistent temporary files for every request but fails to delete them after they are served. An unauthenticated attacker can repeatedly call this endpoint to exhaust the server's disk space, causing the database or other system services to fail due to "No space left on device" errors, rendering the entire AutoGPT Platform backend unavailable to all users. This issue has been patched in version 0.6.52.

AnalysisAI

Unauthenticated denial-of-service in AutoGPT Platform versions 0.4.2 through 0.6.51 allows remote attackers to exhaust server disk space by repeatedly invoking the download_agent_file endpoint, which creates temporary files that are never cleaned up. Once disk capacity is consumed, the backend database and dependent services fail with 'No space left on device' errors, taking the entire platform offline for all users. No public exploit identified at time of analysis, but the trivial nature of the attack (simple repeated HTTP requests) makes it readily reproducible.

Technical ContextAI

AutoGPT is an open-source workflow automation platform from Significant Gravitas for building and orchestrating continuous AI agents. The flaw lies in the download_agent_file HTTP endpoint of the AutoGPT Platform backend, which materializes agent file content into temporary files on local disk to serve them, but omits the cleanup step that should remove those files after the response is sent. This maps to CWE-459 (Incomplete Cleanup), a resource-management weakness where a program fails to release or destroy resources after use - in this case, persistent files on the filesystem rather than file handles or memory. The affected CPE is cpe:2.3:a:significant-gravitas:autogpt covering all versions in the 0.4.2-0.6.51 range.

RemediationAI

Vendor-released patch: upgrade the AutoGPT Platform to autogpt-platform-beta-v0.6.52 or later, as published at https://github.com/Significant-Gravitas/AutoGPT/releases/tag/autogpt-platform-beta-v0.6.52 and detailed in advisory GHSA-374w-2pxq-c9jp. If immediate upgrade is not possible, compensating controls include restricting network access to the download_agent_file endpoint via a reverse proxy or WAF rule (trade-off: legitimate agent file downloads will be blocked for unauthenticated callers), placing the entire platform behind authenticated ingress so only known users can reach the endpoint (trade-off: breaks public/anonymous agent sharing flows), aggressive rate-limiting on the endpoint per source IP (trade-off: distributed sources can still trigger the issue, and shared NAT users may be impacted), and operationally adding a tmpfiles.d or cron-based janitor to purge stale files in the platform's temp directory while monitoring disk usage with alerting before saturation occurs (trade-off: only mitigates symptoms, not the underlying leak).

CVE-2026-55237 HIGH
8.8 Jun 18

DOM-based cross-site scripting in AutoGPT versions prior to 0.6.62 allows remote attackers to execute arbitrary JavaScri

CVE-2025-32437 HIGH
8.7 Jun 18

Denial of service in Significant-Gravitas AutoGPT prior to 0.6.63 allows remote attackers to exhaust host disk space by

CVE-2025-32424 HIGH
8.7 Jun 18

Denial of service in AutoGPT prior to 0.6.63 allows remote unauthenticated users to exhaust host disk space by chaining

CVE-2025-32422 HIGH
8.7 Jun 18

Denial of service in AutoGPT versions prior to 0.6.63 allows remote unauthenticated attackers to exhaust disk space on t

CVE-2025-32392 HIGH
8.7 Jun 18

Resource exhaustion denial-of-service in Significant Gravitas AutoGPT versions prior to 0.6.63 allows remote unauthentic

CVE-2026-56663 HIGH
8.5 Jun 26

Server-side request forgery in the AutoGPT Platform (versions prior to 0.6.52) lets an authenticated user abuse the Send

CVE-2026-30950 HIGH
7.1 May 18

Authenticated session hijacking in Significant Gravitas AutoGPT versions 0.6.36 through 0.6.50 allows any logged-in user

CVE-2025-32436 HIGH
7.1 Jun 18

Disk exhaustion denial-of-service in Significant Gravitas AutoGPT prior to version 0.6.63 allows authenticated platform

CVE-2026-56823 MEDIUM
5.4 Jun 26

{webhook_id}/ping` endpoint performs no ownership check - only verifying that a caller is authenticated, not that the ta

CVE-2025-32423 MEDIUM
5.3 Jun 26

Memory amplification denial-of-service in AutoGPT's ExtractTextInformationBlock enables authenticated users to exhaust s

CVE-2025-32394 MEDIUM
5.3 Jun 26

Memory exhaustion in AutoGPT's AITextSummarizerBlock allows authenticated users to trigger extreme resource amplificatio

Share

CVE-2026-33232 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy