Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. In versions 0.1.0 through 0.6.51, SendEmailBlock in autogpt_platform/backend/backend/blocks/email_block.py accepts a user-supplied smtp_server (string) and smtp_port (integer) as per-execution block inputs, then passes them directly to Python's smtplib.SMTP() to open a raw TCP connection with no IP address validation. This completely bypasses the platform's hardened SSRF protections in backend/util/request.py - the validate_url_host() function and BLOCKED_IP_NETWORKS blocklist that every other block uses to block connections to private, loopback, link-local, and cloud metadata addresses. An authenticated user on a shared AutoGPT deployment can use this to perform non-blind internal network port scanning and service fingerprinting: smtplib reads the target's TCP banner on connect and embeds it in the exception message, which is persisted as user-visible block output via the execution framework. This issue has been fixed in version 0.6.52.
AnalysisAI
Server-side request forgery in AutoGPT Platform versions 0.1.0 through 0.6.51 allows any authenticated user on a shared deployment to conduct non-blind internal network port scanning and service fingerprinting by exploiting the SendEmailBlock's unvalidated SMTP connection handling. The block accepts user-supplied smtp_server and smtp_port inputs and passes them directly to Python's smtplib.SMTP(), completely bypassing the platform's dedicated SSRF defenses - the validate_url_host() function and BLOCKED_IP_NETWORKS blocklist in backend/util/request.py that every other block observes. Because smtplib surfaces TCP banners in exception messages that are persisted as visible block output, this is a non-blind SSRF, giving attackers readable reconnaissance data about internal hosts and services. No public exploit identified at time of analysis; vendor-released patch is confirmed in version 0.6.52.
Technical ContextAI
CWE-918 (Server-Side Request Forgery) is the root cause: user-controlled data is used to initiate outbound TCP connections server-side without sanitization. AutoGPT Platform's architecture includes a purpose-built SSRF mitigation layer in backend/util/request.py, implementing validate_url_host() backed by a BLOCKED_IP_NETWORKS blocklist that guards against connections to RFC 1918 private ranges, loopback (127.0.0.0/8), link-local (169.254.0.0/16), and cloud metadata endpoints like 169.254.169.254. SendEmailBlock in autogpt_platform/backend/backend/blocks/email_block.py is architecturally out of compliance with this control - it calls Python's standard library smtplib.SMTP(smtp_server, smtp_port) directly using per-execution block inputs with no IP validation step. Crucially, smtplib reads and stores the TCP banner from the connection attempt, and the AutoGPT execution framework persists exception messages as user-visible block output, upgrading this from blind to non-blind SSRF. The affected CPE is cpe:2.3:a:significant-gravitas:autogpt:*:*:*:*:*:*:*:*, covering all platform releases from 0.1.0 through 0.6.51.
RemediationAI
Upgrade to AutoGPT Platform version 0.6.52, the vendor-confirmed patched release available at https://github.com/Significant-Gravitas/AutoGPT/releases/tag/autogpt-platform-beta-v0.6.52 and documented in the security advisory at https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-4jwj-6mg5-wrwf. For operators unable to patch immediately, restrict workflow creation and execution permissions for SendEmailBlock to trusted users only - since exploitation requires PR:L authenticated access, tightening role-based access controls on block usage directly reduces the attack surface, though this may limit legitimate email automation functionality. As a network-level compensating control, apply egress firewall rules on the AutoGPT backend host to block outbound TCP connections to RFC 1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback (127.0.0.0/8), link-local (169.254.0.0/16), and cloud metadata endpoints (169.254.169.254:80/443); note that this may interfere with SendEmailBlock reaching internal SMTP relays if any are hosted in private ranges. Upgrading to 0.6.52 is the only complete remediation.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30822