CVE-2026-26006

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-26006

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26006.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-26006

Aliases

GHSA-m2wr-7m3r-p52c

Published

2026-02-10T21:21:00.635Z

Modified

2026-02-12T02:35:42.846974Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Redos (Regular Expression Denial of Service) at Code Extraction Block in significant-gravitas/autogpt

Details

AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. The autogpt before 0.6.32 is vulnerable to Regular Expression Denial of Service due to the use of regex at Code Extraction Block. The two Regex are used containing the corresponding dangerous patterns \s+[\s\S]? and \s+(.?). They share a common characteristic — the combination of two adjacent quantifiers that can match the same space character (\s). As a result, an attacker can supply a long sequence of space characters to trigger excessive regex backtracking, potentially leading to a Denial of Service (DoS). This vulnerability is fixed in 0.6.32.

Database specific

{
    "cwe_ids": [
        "CWE-1333"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26006.json"
}

References

Affected packages

Git / github.com/significant-gravitas/autogpt

Affected ranges

Type

GIT

Repo

https://github.com/significant-gravitas/autogpt

Events

Introduced

25a7957bb801cc2ffd088ac81269fe96c5696b23

Fixed

73603a8ce54418bc4eba730429854bf072a65f7f

Database specific

{
    "versions": [
        {
            "introduced": "0.4.0"
        },
        {
            "fixed": "0.6.32"
        }
    ]
}

Affected versions

agbenchmark-v0.*

agbenchmark-v0.0.10

agpt-platform-beta-v0.*

agpt-platform-beta-v0.1.0

agpt-platform-beta-v0.1.1

agpt-platform-beta-v0.2.0

autogpt-platform-beta-v0.*

autogpt-platform-beta-v0.2.1

autogpt-platform-beta-v0.2.2

autogpt-platform-beta-v0.3.0

autogpt-platform-beta-v0.3.1

autogpt-platform-beta-v0.3.2

autogpt-platform-beta-v0.3.3

autogpt-platform-beta-v0.3.4

autogpt-platform-beta-v0.4.0

autogpt-platform-beta-v0.4.1

autogpt-platform-beta-v0.4.10

autogpt-platform-beta-v0.4.11

autogpt-platform-beta-v0.4.2

autogpt-platform-beta-v0.4.3

autogpt-platform-beta-v0.4.4

autogpt-platform-beta-v0.4.5

autogpt-platform-beta-v0.4.6

autogpt-platform-beta-v0.4.7

autogpt-platform-beta-v0.4.8

autogpt-platform-beta-v0.4.9

autogpt-platform-beta-v0.5.0

autogpt-platform-beta-v0.5.1

autogpt-platform-beta-v0.6.0

autogpt-platform-beta-v0.6.1

autogpt-platform-beta-v0.6.10

autogpt-platform-beta-v0.6.11

autogpt-platform-beta-v0.6.12

autogpt-platform-beta-v0.6.13

autogpt-platform-beta-v0.6.14

autogpt-platform-beta-v0.6.15

autogpt-platform-beta-v0.6.16

autogpt-platform-beta-v0.6.17

autogpt-platform-beta-v0.6.18

autogpt-platform-beta-v0.6.19

autogpt-platform-beta-v0.6.2

autogpt-platform-beta-v0.6.20

autogpt-platform-beta-v0.6.21

autogpt-platform-beta-v0.6.22

autogpt-platform-beta-v0.6.23

autogpt-platform-beta-v0.6.24

autogpt-platform-beta-v0.6.25

autogpt-platform-beta-v0.6.26

autogpt-platform-beta-v0.6.27

autogpt-platform-beta-v0.6.28

autogpt-platform-beta-v0.6.29

autogpt-platform-beta-v0.6.3

autogpt-platform-beta-v0.6.30

autogpt-platform-beta-v0.6.31

autogpt-platform-beta-v0.6.4

autogpt-platform-beta-v0.6.5

autogpt-platform-beta-v0.6.6

autogpt-platform-beta-v0.6.7

autogpt-platform-beta-v0.6.8

autogpt-platform-beta-v0.6.9

v0.*

v0.4.0

v0.4.1

v0.4.2

v0.4.3

v0.4.3-alpha

v0.4.4

v0.4.5

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26006.json"