PatchSiren cyber security CVE debrief
CVE-2026-33232 Significant-Gravitas CVE debrief
CVE-2026-33232 is an unauthenticated denial-of-service issue in AutoGPT Platform. The vulnerable download_agent_file endpoint creates temporary files for each request but does not delete them after serving them, allowing repeated requests to consume disk space until the backend becomes unavailable. The reported impact is server-wide service failure, including database or other component errors due to "No space left on device" conditions. The issue is patched in AutoGPT Platform 0.6.52.
- Vendor
- Significant-Gravitas
- Product
- AutoGPT
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-19
Who should care
Operators and administrators running AutoGPT Platform versions 0.4.2 through 0.6.51, especially environments exposing the affected endpoint to untrusted networks. Security teams should treat this as a high-priority availability issue because it requires no authentication and can take down the backend.
Technical summary
The supplied NVD record describes CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a network-reachable, low-complexity, unauthenticated availability impact. The weakness set includes CWE-400, CWE-459, and CWE-770, aligning with uncontrolled resource consumption and improper temporary-file lifecycle handling. The core failure is that download_agent_file leaves persistent temporary files behind after serving them, so repeated calls can steadily exhaust filesystem space and trigger broader service failures. The advisory states that version 0.6.52 contains the fix.
Defensive priority
High. This is an unauthenticated network-exploitable availability issue that can disable the AutoGPT backend and related services by exhausting disk space.
Recommended defensive actions
- Upgrade AutoGPT Platform to version 0.6.52 or later as soon as possible.
- Verify that the download_agent_file path no longer leaves persistent temporary files behind.
- Monitor disk usage, temporary directories, and filesystem exhaustion alerts on all affected hosts.
- Add rate limiting, access controls, or network exposure restrictions around the affected endpoint where feasible.
- Check for abnormal growth in temporary files and investigate any recent "No space left on device" errors on the backend.
- If immediate upgrading is not possible, reduce exposure of the service and schedule frequent cleanup and capacity monitoring as a temporary mitigation.
Evidence notes
The supplied NVD record identifies CVE-2026-33232 as affecting AutoGPT Platform, with versions 0.4.2 through 0.6.51 vulnerable and 0.6.52 listed as the fixed release. The described failure mode is unauthenticated denial of service through uncontrolled disk space consumption caused by the download_agent_file endpoint creating persistent temporary files and not deleting them after serving. NVD metadata also lists the record status as Deferred and provides the referenced GitHub release and advisory URLs.
Official resources
Publicly disclosed on 2026-05-19 through the CVE/NVD record and linked GitHub advisory materials. The supplied record identifies AutoGPT Platform versions 0.4.2 through 0.6.51 as affected and 0.6.52 as the patched release.