Skip to main content

AutoGPT CVE-2026-56663

| EUVDEUVD-2026-39798 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-26 GitHub_M
8.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.5 HIGH
AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
7.1 HIGH

Authenticated user (PR:L) must craft DNS to a mapped/CGNAT address (AC:H); SSRF reaches internal systems (S:C) primarily exposing data (C:H), with limited integrity and no inherent availability impact.

3.1 AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jun 26, 2026 - 18:02 EUVD
Analysis Generated
Jun 26, 2026 - 17:23 vuln.today

DescriptionCVE.org

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.52, an authenticated user can bypass the SSRF / private-IP protections in SendWebRequestBlock and reach internal network services. _is_ip_blocked() in backend/backend/util/request.py does not normalize IPv4-mapped IPv6 addresses before checking resolved IPs against the blocked IPv4 ranges, and does not block special-use ranges such as 100.64.0.0/10 (CGNAT, RFC 6598). A hostname that resolves to an IPv4-mapped IPv6 address therefore passes validation and the request reaches the embedded internal IPv4 endpoint. This affects all AutoGPT Platform deployments. This vulnerability is fixed in 0.6.52.

AnalysisAI

Server-side request forgery in the AutoGPT Platform (versions prior to 0.6.52) lets an authenticated user abuse the SendWebRequestBlock to reach internal network services that the private-IP filter is supposed to protect. The flaw stems from _is_ip_blocked() in backend/backend/util/request.py failing to normalize IPv4-mapped IPv6 addresses and omitting RFC 6598 CGNAT space (100.64.0.0/10), so a hostname resolving to a mapped address passes validation and the request hits the embedded internal IPv4 endpoint. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to AutoGPT Platform
Delivery
Create agent using SendWebRequestBlock
Exploit
Point URL at attacker hostname resolving to IPv4-mapped/CGNAT address
Execution
Bypass _is_ip_blocked() deny list
Persist
Backend connects to internal IPv4 endpoint
Impact
Exfiltrate internal/metadata service data

Vulnerability AssessmentAI

Exploitation Requires an authenticated AutoGPT Platform account (PR:L) with the ability to create or run an agent that uses the SendWebRequestBlock. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H, base 8.5 High) reflects a network-reachable, authenticated SSRF with changed scope, the high score driven largely by the scope change and assumed full triad impact on reachable internal systems. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a valid AutoGPT account creates an agent that uses the SendWebRequestBlock and points it at a hostname under their control whose DNS record resolves to an IPv4-mapped IPv6 address (e.g. ::ffff:169.254.169.254 or a 100.64.x.x CGNAT address). …
Remediation Upgrade to AutoGPT 0.6.52, which contains the fix (Vendor-released patch: 0.6.52) - this version normalizes IPv4-mapped IPv6 addresses before the deny-list check and blocks the RFC 6598 100.64.0.0/10 CGNAT range. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all AutoGPT Platform instances running versions prior to 0.6.52; audit SendWebRequestBlock usage patterns and review authentication logs for suspicious activity. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-55237 HIGH
8.8 Jun 18

DOM-based cross-site scripting in AutoGPT versions prior to 0.6.62 allows remote attackers to execute arbitrary JavaScri

CVE-2025-32437 HIGH
8.7 Jun 18

Denial of service in Significant-Gravitas AutoGPT prior to 0.6.63 allows remote attackers to exhaust host disk space by

CVE-2025-32424 HIGH
8.7 Jun 18

Denial of service in AutoGPT prior to 0.6.63 allows remote unauthenticated users to exhaust host disk space by chaining

CVE-2025-32422 HIGH
8.7 Jun 18

Denial of service in AutoGPT versions prior to 0.6.63 allows remote unauthenticated attackers to exhaust disk space on t

CVE-2025-32392 HIGH
8.7 Jun 18

Resource exhaustion denial-of-service in Significant Gravitas AutoGPT versions prior to 0.6.63 allows remote unauthentic

CVE-2026-33232 HIGH
7.5 May 19

Unauthenticated denial-of-service in AutoGPT Platform versions 0.4.2 through 0.6.51 allows remote attackers to exhaust s

CVE-2026-30950 HIGH
7.1 May 18

Authenticated session hijacking in Significant Gravitas AutoGPT versions 0.6.36 through 0.6.50 allows any logged-in user

CVE-2025-32436 HIGH
7.1 Jun 18

Disk exhaustion denial-of-service in Significant Gravitas AutoGPT prior to version 0.6.63 allows authenticated platform

CVE-2026-56823 MEDIUM
5.4 Jun 26

{webhook_id}/ping` endpoint performs no ownership check - only verifying that a caller is authenticated, not that the ta

CVE-2025-32423 MEDIUM
5.3 Jun 26

Memory amplification denial-of-service in AutoGPT's ExtractTextInformationBlock enables authenticated users to exhaust s

CVE-2025-32394 MEDIUM
5.3 Jun 26

Memory exhaustion in AutoGPT's AITextSummarizerBlock allows authenticated users to trigger extreme resource amplificatio

Share

CVE-2026-56663 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy