CVE-2026-45023

Source
https://cve.org/CVERecord?id=CVE-2026-45023
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45023.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-45023
Aliases
  • GHSA-8pjg-mfqm-vrhr
Published
2026-05-28T21:30:55.329Z
Modified
2026-07-15T01:48:58.314908400Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L CVSS Calculator
Summary
AutoGPT: Credit system bypassed via direct block execution in POST /api/blocks/{block_id}/execute
Details

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.59, POST /api/blocks/{block_id}/execute endpoint executes blocks without consuming any credits, regardless of the user's balance. The credit check that exists in the graph execution path (manager.py) is never reached when blocks are called directly via the external API, allowing unlimited free execution of all blocks. This vulnerability is fixed in 0.6.59.

Database specific
{
    "cwe_ids": [
        "CWE-770",
        "CWE-841"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45023.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/significant-gravitas/autogpt

Affected ranges

Type
GIT
Repo
https://github.com/significant-gravitas/autogpt
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.6.59"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

agbenchmark-v0.*
agbenchmark-v0.0.10
agpt-platform-beta-v0.*
agpt-platform-beta-v0.1.0
agpt-platform-beta-v0.1.1
agpt-platform-beta-v0.2.0
autogpt-platform-beta-v0.*
autogpt-platform-beta-v0.2.2
autogpt-platform-beta-v0.3.2
autogpt-platform-beta-v0.3.3
autogpt-platform-beta-v0.3.4
autogpt-platform-beta-v0.4.0
autogpt-platform-beta-v0.4.1
autogpt-platform-beta-v0.4.10
autogpt-platform-beta-v0.4.11
autogpt-platform-beta-v0.4.2
autogpt-platform-beta-v0.4.3
autogpt-platform-beta-v0.4.4
autogpt-platform-beta-v0.4.5
autogpt-platform-beta-v0.4.8
autogpt-platform-beta-v0.4.9
autogpt-platform-beta-v0.5.0
autogpt-platform-beta-v0.5.1
autogpt-platform-beta-v0.6.0
autogpt-platform-beta-v0.6.1
autogpt-platform-beta-v0.6.10
autogpt-platform-beta-v0.6.11
autogpt-platform-beta-v0.6.12
autogpt-platform-beta-v0.6.13
autogpt-platform-beta-v0.6.14
autogpt-platform-beta-v0.6.15
autogpt-platform-beta-v0.6.16
autogpt-platform-beta-v0.6.17
autogpt-platform-beta-v0.6.18
autogpt-platform-beta-v0.6.19
autogpt-platform-beta-v0.6.2
autogpt-platform-beta-v0.6.20
autogpt-platform-beta-v0.6.21
autogpt-platform-beta-v0.6.22
autogpt-platform-beta-v0.6.26
autogpt-platform-beta-v0.6.28
autogpt-platform-beta-v0.6.29
autogpt-platform-beta-v0.6.30
autogpt-platform-beta-v0.6.31
autogpt-platform-beta-v0.6.32
autogpt-platform-beta-v0.6.33
autogpt-platform-beta-v0.6.34
autogpt-platform-beta-v0.6.35
autogpt-platform-beta-v0.6.36
autogpt-platform-beta-v0.6.37
autogpt-platform-beta-v0.6.38
autogpt-platform-beta-v0.6.39
autogpt-platform-beta-v0.6.4
autogpt-platform-beta-v0.6.40
autogpt-platform-beta-v0.6.41
autogpt-platform-beta-v0.6.42
autogpt-platform-beta-v0.6.43
autogpt-platform-beta-v0.6.46
autogpt-platform-beta-v0.6.47
autogpt-platform-beta-v0.6.48
autogpt-platform-beta-v0.6.49
autogpt-platform-beta-v0.6.5
autogpt-platform-beta-v0.6.50
autogpt-platform-beta-v0.6.51
autogpt-platform-beta-v0.6.52
autogpt-platform-beta-v0.6.53
autogpt-platform-beta-v0.6.54
autogpt-platform-beta-v0.6.55
autogpt-platform-beta-v0.6.56
autogpt-platform-beta-v0.6.57
autogpt-platform-beta-v0.6.58
autogpt-platform-beta-v0.6.6
autogpt-platform-beta-v0.6.7
autogpt-platform-beta-v0.6.8
autogpt-platform-beta-v0.6.9
v0.*
v0.1.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45023.json"