Home > Vulnerability Database > CVE-2026-24780

Mend.io Vulnerability Database

CVE-2026-24780

Good to know:

Date: January 29, 2026

AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.44, AutoGPT Platform's block execution endpoints (both main web API and external API) allow executing blocks by UUID without checking the "disabled" flag. Any authenticated user can execute the disabled "BlockInstallationBlock", which writes arbitrary Python code to the server filesystem and executes it via "__import__()", achieving Remote Code Execution. In default self-hosted deployments where Supabase signup is enabled, an attacker can self-register; if signup is disabled (e.g., hosted), the attacker needs an existing account. autogpt-platform-beta-v0.6.44 contains a fix.

Severity Score

9.9

Related Resources (9)

Url: https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/api/external/v1/routes.py#L79-L93

Url: https://github.com/Significant-Gravitas/AutoGPT

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-24780

Url: https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/api/features/v1.py#L1408-L1424

Url: https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/blocks/block.py#L15-L78

Url: https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/data/block.py#L459

Url: https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/api/features/v1.py#L355-L395

Url: https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-r277-3xc5-c79v

Url: https://www.mend.io/vulnerability-database/CVE-2026-24780

Severity Score

9.9

Weakness Type (CWE)

Improper Control of Generation of Code ('Code Injection')

CWE-94

Incorrect Default Permissions

CWE-276

Incorrect Authorization

CWE-863

CVSS v3.1

Base Score:	9.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2026-24780

Good to know:

Date: January 29, 2026

Severity Score

Related Resources (9)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?