Cyber Posture

CVE-2026-33232

HighDDoS
Microsoft: not affectedMSmacOS: not affectedMacLinux: not affectedLnxMobile: not affectedMobNetwork: not affectedNetApplication: not affectedAppOther: affectedOth

Published: 19 May 2026

Published
19 May 2026
Modified
19 May 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0005 16.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33232 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, ranked at the 16.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as APIs and Models.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

AC-10 Concurrent Session Control
addresses: CWE-400 CWE-770

Limiting concurrent sessions directly prevents uncontrolled resource consumption by capping the number of active sessions per user or account.

CP-4 Contingency Plan Testing
addresses: CWE-400 CWE-770

Contingency plan testing includes resource exhaustion scenarios to verify recovery, making it harder for attackers to sustain exploits that cause uncontrolled consumption.

CP-5 Contingency Plan Update
addresses: CWE-400 CWE-770

Updated contingency plans include current procedures to detect, contain, and recover from resource exhaustion, limiting an attacker's ability to sustain impact from uncontrolled consumption.

CP-7 Alternate Processing Site
addresses: CWE-400 CWE-770

Alternate site allows resumption of operations if resource exhaustion at the primary site is exploited to cause unavailability.

CP-8 Telecommunications Services
addresses: CWE-400 CWE-770

Alternate telecommunications services enable resumption of essential functions when primary services become unavailable due to uncontrolled resource consumption.

PL-6 Security-related Activity Planning
addresses: CWE-400 CWE-770

Planning and coordination of security activities (scans, tests, maintenance) directly imposes scheduling and throttling that prevents those activities from producing uncontrolled resource consumption.

PM-6 Measures of Performance
addresses: CWE-400 CWE-770

Performance metrics and monitoring inherently track resource consumption patterns, making uncontrolled consumption easier to detect and mitigate.

SC-10 Network Disconnect
addresses: CWE-400 CWE-770

Terminating idle connections bounds resource consumption that would otherwise allow uncontrolled accumulation of open sessions.

NVD Description

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Versions 0.4.2 through 0.6.51 are vulnerable to an unauthenticated Denial of Service (DoS) through the server due to uncontrolled disk space consumption. The download_agent_file endpoint…

more

creates persistent temporary files for every request but fails to delete them after they are served. An unauthenticated attacker can repeatedly call this endpoint to exhaust the server's disk space, causing the database or other system services to fail due to "No space left on device" errors, rendering the entire AutoGPT Platform backend unavailable to all users. This issue has been patched in version 0.6.52.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s)
CWE-400CWE-459CWE-770

AI Security AnalysisAI

AI Category
APIs and Models
Risk Domain
N/A
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: artificial intelligence

References