Skip to main content

AutoGPT CVE-2026-45023

| EUVDEUVD-2026-33072 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-05-28 security-advisories@github.com
5.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Patch available
May 28, 2026 - 23:02 EUVD
Analysis Generated
May 28, 2026 - 22:30 vuln.today

DescriptionGitHub Advisory

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.59, POST /api/blocks/{block_id}/execute endpoint executes blocks without consuming any credits, regardless of the user's balance. The credit check that exists in the graph execution path (manager.py) is never reached when blocks are called directly via the external API, allowing unlimited free execution of all blocks. This vulnerability is fixed in 0.6.59.

AnalysisAI

{block_id}/execute endpoint, which skips the credit validation logic present in manager.py. An attacker with a low-privilege account - including one with zero remaining credits - can exploit this to exhaust platform resources and obtain unlimited AI execution at the operator's expense. No public exploit identified at time of analysis, and this vulnerability is not listed in CISA KEV.

Technical ContextAI

AutoGPT is a workflow automation platform for building and running continuous AI agents. The platform enforces a credit-based resource consumption model: normal graph execution routes through manager.py, which validates user credit balances before allowing block execution. However, the direct block execution endpoint POST /api/blocks/{block_id}/execute bypasses this path entirely, never invoking the credit check. The root cause is CWE-770 (Allocation of Resources Without Limits or Throttling) - the resource throttling mechanism is implemented only in one code path (graph execution) and is not applied at the API boundary for direct block calls. This architectural gap means any authenticated API consumer can trigger arbitrarily many executions of any block - including computationally expensive LLM inference or external API integrations - without any accounting or rate limiting enforced.

RemediationAI

Vendor-released patch: AutoGPT 0.6.59 resolves this vulnerability by closing the credit bypass in the direct block execution API path. Operators should upgrade to 0.6.59 or later immediately, as referenced in the GitHub Security Advisory GHSA-8pjg-mfqm-vrhr at https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-8pjg-mfqm-vrhr. If immediate patching is not feasible, operators should restrict access to the POST /api/blocks/{block_id}/execute endpoint at the API gateway or reverse proxy layer (e.g., block or rate-limit the route pattern /api/blocks/*/execute). This compensating control may break legitimate direct block execution workflows, so it should be treated as temporary. Additionally, monitoring for anomalous API call volume to this endpoint can help detect abuse prior to patching.

Share

CVE-2026-45023 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy