Cyber Resilience

CVE-2026-33233

High

Published: 19 May 2026

Published
19 May 2026
Modified
19 May 2026
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0023 13.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33233 is a high-severity Code Injection (CWE-94) vulnerability. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Python (T1059.006); ranked at the 13.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Supply Chain and Deployment risk domain.

EU & UK References

Vulnerability details

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. In versions 0.6.34 through 0.6.51, the backend deserializes Redis cache bytes using pickle.loads without integrity/authenticity checks. The write path serializes values with pickle.dumps(...) into Redis…

more

and the read path blindly invokes pickle.loads(...) on bytes with no HMAC/signature or strict schema validation gating deserialization. If an attacker can poison a shared-cache key in Redis, arbitrary command execution is possible in the backend container context, affecting confidentiality, integrity, and availability. This issue has been fixed in version 0.6.52.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: artificial intelligence, autogpt

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
Why these techniques?

Insecure pickle deserialization (CWE-502) of untrusted Redis cache data directly enables arbitrary Python code execution in the backend process.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-28277Shared CWE-502
CVE-2026-31217Shared CWE-94
CVE-2026-22807Shared CWE-94
CVE-2025-69872Shared CWE-94
CVE-2025-70560Shared CWE-502
CVE-2026-31236Shared CWE-94
CVE-2025-5120Shared CWE-94
CVE-2026-22609Shared CWE-502
CVE-2026-4963Shared CWE-94
CVE-2026-2008Shared CWE-94

Affected Assets

In
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-502 CWE-94

Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.

addresses: CWE-94 CWE-502

Validates inputs used in dynamic code generation to block injected directives.

addresses: CWE-345 CWE-502

Mandates verification of data authenticity for software, firmware, and information.

addresses: CWE-345 CWE-502

Provenance documentation and monitoring directly enables verification of authenticity for components and data throughout their history.

addresses: CWE-502

Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.

addresses: CWE-345

Directly requires independent verification of matching output before adverse decisions, mitigating insufficient authenticity checks on data from external sources.

addresses: CWE-502

Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.

addresses: CWE-345

Use of approved PKI certificates provides verifiable data authenticity and origin for communications and artifacts.

References