CVE-2026-26020
Published: 12 February 2026
Description
AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to 0.6.48, an authenticated user could achieve Remote Code Execution (RCE) on the backend server by embedding a disabled…
more
block inside a graph. The BlockInstallationBlock — a development tool capable of writing and importing arbitrary Python code — was marked disabled=True, but graph validation did not enforce this flag. This allowed any authenticated user to bypass the restriction by including the block as a node in a graph, rather than calling the block's execution endpoint directly (which did enforce the flag). This vulnerability is fixed in 0.6.48.
Mitigating Controls (NIST 800-53 r5)AI
AC-3 enforces approved authorizations for logical access, directly preventing authenticated users from bypassing disabled flags on blocks like BlockInstallationBlock during graph processing.
SI-10 validates graph inputs to enforce restrictions such as disabled=True flags, addressing the validation failure that allowed embedding and execution of the BlockInstallationBlock.
AC-6 least privilege limits low-privilege authenticated users from executing arbitrary code via graph nodes, mitigating the high-impact RCE even if enforcement partially fails.
Security SummaryAI
CVE-2026-26020 is a remote code execution (RCE) vulnerability (CWE-285: Improper Authorization) in the AutoGPT platform, which allows users to create, deploy, and manage continuous artificial intelligence agents for automating complex workflows. Versions prior to 0.6.48 are affected, specifically the backend server component. The flaw arises from the BlockInstallationBlock, a development tool capable of writing and importing arbitrary Python code, which was marked with disabled=True. However, graph validation failed to enforce this flag, permitting its misuse.
An authenticated user with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By embedding the disabled BlockInstallationBlock as a node within a graph—rather than invoking its execution endpoint directly, which did enforce the flag—the attacker bypasses restrictions and achieves RCE on the backend server. This grants high-impact confidentiality, integrity, and availability compromise, as reflected in the CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
The vulnerability is fixed in AutoGPT version 0.6.48. Mitigation involves updating to this release or later. Key resources include the patching commit at https://github.com/Significant-Gravitas/AutoGPT/commit/062fe1aa709217136b896c8b950e0f04435afb32, the release announcement at https://github.com/Significant-Gravitas/AutoGPT/releases/tag/autogpt-platform-beta-v0.6.48, and the GitHub security advisory at https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-4crw-9p35-9x54.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- APIs and Models
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- MITRE ATLAS Techniques
- None mapped
- Classification Reason
- Matched keywords: artificial intelligence
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote code execution via arbitrary Python code import/execution (T1059.006) on the backend server, exploitable by low-privilege authenticated users for privilege escalation (T1068), in a public-facing application (T1190).