Cyber Resilience

CVE-2026-26020

Critical

Published: 12 February 2026

Published
12 February 2026
Modified
17 February 2026
KEV Added
Patch
CVSS Score v4 9.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0048 37.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-26020 is a critical-severity Improper Authorization (CWE-285) vulnerability in Agpt Autogpt Platform. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 37.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-26020 is a remote code execution (RCE) vulnerability (CWE-285: Improper Authorization) in the AutoGPT platform, which allows users to create, deploy, and manage continuous artificial intelligence agents for automating complex workflows. Versions prior to 0.6.48 are affected, specifically the backend server component. The flaw arises from the BlockInstallationBlock, a development tool capable of writing and importing arbitrary Python code, which was marked with disabled=True. However, graph validation failed to enforce this flag, permitting its misuse.

An authenticated user with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By embedding the disabled BlockInstallationBlock as a node within a graph—rather than invoking its execution endpoint directly, which did enforce the flag—the attacker bypasses restrictions and achieves RCE on the backend server. This grants high-impact confidentiality, integrity, and availability compromise, as reflected in the CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

The vulnerability is fixed in AutoGPT version 0.6.48. Mitigation involves updating to this release or later. Key resources include the patching commit at https://github.com/Significant-Gravitas/AutoGPT/commit/062fe1aa709217136b896c8b950e0f04435afb32, the release announcement at https://github.com/Significant-Gravitas/AutoGPT/releases/tag/autogpt-platform-beta-v0.6.48, and the GitHub security advisory at https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-4crw-9p35-9x54.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to 0.6.48, an authenticated user could achieve Remote Code Execution (RCE) on the backend server by embedding a disabled…

more

block inside a graph. The BlockInstallationBlock — a development tool capable of writing and importing arbitrary Python code — was marked disabled=True, but graph validation did not enforce this flag. This allowed any authenticated user to bypass the restriction by including the block as a node in a graph, rather than calling the block's execution endpoint directly (which did enforce the flag). This vulnerability is fixed in 0.6.48.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: artificial intelligence, autogpt

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability enables remote code execution via arbitrary Python code import/execution (T1059.006) on the backend server, exploitable by low-privilege authenticated users for privilege escalation (T1068), in a public-facing application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24780Same product: Agpt Autogpt Platform
CVE-2025-62616Same product: Agpt Autogpt Platform
CVE-2025-62615Same product: Agpt Autogpt Platform
CVE-2025-0454Same product: Agpt Autogpt Platform
CVE-2025-1040Same product: Agpt Autogpt Platform
CVE-2025-22603Same product: Agpt Autogpt Platform
CVE-2026-22038Same product: Agpt Autogpt Platform
CVE-2024-8156Same vendor: Agpt
CVE-2026-32716Shared CWE-285
CVE-2025-26683Shared CWE-285

Affected Assets

agpt
autogpt platform
≤ 0.6.48

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 enforces approved authorizations for logical access, directly preventing authenticated users from bypassing disabled flags on blocks like BlockInstallationBlock during graph processing.

prevent

SI-10 validates graph inputs to enforce restrictions such as disabled=True flags, addressing the validation failure that allowed embedding and execution of the BlockInstallationBlock.

prevent

AC-6 least privilege limits low-privilege authenticated users from executing arbitrary code via graph nodes, mitigating the high-impact RCE even if enforcement partially fails.

References