CVE-2026-33233 Significant-Gravitas CVE debrief

Who should care

Organizations running AutoGPT platform versions 0.6.34 through 0.6.51 with Redis caching enabled; DevOps teams managing AutoGPT deployments; security teams monitoring for deserialization vulnerabilities in Python applications

Technical summary

The vulnerability exists in AutoGPT's backend cache handling between versions 0.6.34 and 0.6.51. The application uses Python's pickle module for serializing and deserializing cache values stored in Redis. The serialization path uses pickle.dumps without cryptographic signing, and the deserialization path uses pickle.loads without integrity verification or input validation. This creates a deserialization of untrusted data condition (CWE-502) where an attacker who can write to the Redis cache can inject malicious pickle payloads. When the backend retrieves and deserializes the poisoned cache entry, arbitrary Python code execution occurs within the backend container security context. The attack requires access to the Redis instance, which may be achievable through network exposure, compromised credentials, or other cache poisoning vectors in shared cache environments.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade AutoGPT to version 0.6.52 or later to obtain the deserialization fix
• Audit Redis cache access controls to restrict write access to backend services only
• Implement network segmentation to limit Redis exposure to trusted backend containers
• Monitor Redis for anomalous key modifications or unexpected pickle-serialized payloads
• Review application logs for deserialization errors or unexpected object types that may indicate exploitation attempts

Evidence notes

CVE published 2026-05-19. CVSS 3.1 vector: AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H. CWE-94 (Improper Control of Generation of Code), CWE-345 (Insufficient Verification of Data Authenticity), CWE-502 (Deserialization of Untrusted Data). Fix confirmed in autogpt-platform-beta-v0.6.52 release.

Official resources