Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Versions 0.4.2 through 0.6.51 are vulnerable to an unauthenticated Denial of Service (DoS) through the server due to uncontrolled disk space consumption. The download_agent_file endpoint creates persistent temporary files for every request but fails to delete them after they are served. An unauthenticated attacker can repeatedly call this endpoint to exhaust the server's disk space, causing the database or other system services to fail due to "No space left on device" errors, rendering the entire AutoGPT Platform backend unavailable to all users. This issue has been patched in version 0.6.52.
AnalysisAI
Unauthenticated denial-of-service in AutoGPT Platform versions 0.4.2 through 0.6.51 allows remote attackers to exhaust server disk space by repeatedly invoking the download_agent_file endpoint, which creates temporary files that are never cleaned up. Once disk capacity is consumed, the backend database and dependent services fail with 'No space left on device' errors, taking the entire platform offline for all users. No public exploit identified at time of analysis, but the trivial nature of the attack (simple repeated HTTP requests) makes it readily reproducible.
Technical ContextAI
AutoGPT is an open-source workflow automation platform from Significant Gravitas for building and orchestrating continuous AI agents. The flaw lies in the download_agent_file HTTP endpoint of the AutoGPT Platform backend, which materializes agent file content into temporary files on local disk to serve them, but omits the cleanup step that should remove those files after the response is sent. This maps to CWE-459 (Incomplete Cleanup), a resource-management weakness where a program fails to release or destroy resources after use - in this case, persistent files on the filesystem rather than file handles or memory. The affected CPE is cpe:2.3:a:significant-gravitas:autogpt covering all versions in the 0.4.2-0.6.51 range.
RemediationAI
Vendor-released patch: upgrade the AutoGPT Platform to autogpt-platform-beta-v0.6.52 or later, as published at https://github.com/Significant-Gravitas/AutoGPT/releases/tag/autogpt-platform-beta-v0.6.52 and detailed in advisory GHSA-374w-2pxq-c9jp. If immediate upgrade is not possible, compensating controls include restricting network access to the download_agent_file endpoint via a reverse proxy or WAF rule (trade-off: legitimate agent file downloads will be blocked for unauthenticated callers), placing the entire platform behind authenticated ingress so only known users can reach the endpoint (trade-off: breaks public/anonymous agent sharing flows), aggressive rate-limiting on the endpoint per source IP (trade-off: distributed sources can still trigger the issue, and shared NAT users may be impacted), and operationally adding a tmpfiles.d or cron-based janitor to purge stale files in the platform's temp directory while monitoring disk usage with alerting before saturation occurs (trade-off: only mitigates symptoms, not the underlying leak).
DOM-based cross-site scripting in AutoGPT versions prior to 0.6.62 allows remote attackers to execute arbitrary JavaScri
Denial of service in Significant-Gravitas AutoGPT prior to 0.6.63 allows remote attackers to exhaust host disk space by
Denial of service in AutoGPT prior to 0.6.63 allows remote unauthenticated users to exhaust host disk space by chaining
Denial of service in AutoGPT versions prior to 0.6.63 allows remote unauthenticated attackers to exhaust disk space on t
Resource exhaustion denial-of-service in Significant Gravitas AutoGPT versions prior to 0.6.63 allows remote unauthentic
Server-side request forgery in the AutoGPT Platform (versions prior to 0.6.52) lets an authenticated user abuse the Send
Authenticated session hijacking in Significant Gravitas AutoGPT versions 0.6.36 through 0.6.50 allows any logged-in user
Disk exhaustion denial-of-service in Significant Gravitas AutoGPT prior to version 0.6.63 allows authenticated platform
{webhook_id}/ping` endpoint performs no ownership check - only verifying that a caller is authenticated, not that the ta
Memory amplification denial-of-service in AutoGPT's ExtractTextInformationBlock enables authenticated users to exhaust s
Memory exhaustion in AutoGPT's AITextSummarizerBlock allows authenticated users to trigger extreme resource amplificatio
Same weakness CWE-459 – Incomplete Cleanup
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30819