PatchSiren cyber security CVE debrief
CVE-2026-45023 Significant-Gravitas CVE debrief
A missing authorization check in AutoGPT's block execution API allows authenticated users to bypass credit consumption controls. The POST /api/blocks/{block_id}/execute endpoint executes blocks without validating or deducting user credits, enabling unlimited free execution of all block types. The credit enforcement mechanism exists only in the graph execution path (manager.py) and is never invoked for direct API calls to this endpoint. This represents a business logic flaw where a critical access control check is implemented in one code path but omitted from another that provides equivalent functionality. The vulnerability requires valid authentication but no special privileges, making it exploitable by any registered user. Fixed in version 0.6.59.
- Vendor
- Significant-Gravitas
- Product
- AutoGPT
- CVSS
- MEDIUM 5.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-29
Who should care
Organizations operating AutoGPT deployments with usage-based billing or resource quotas; security teams monitoring for API authorization inconsistencies; developers maintaining workflow automation platforms with multi-path execution architectures
Technical summary
The vulnerability exists in the POST /api/blocks/{block_id}/execute endpoint of AutoGPT versions prior to 0.6.59. While the platform implements credit checks within the graph execution workflow managed by manager.py, this validation is not applied to direct API invocations of the block execution endpoint. Authenticated users can exploit this inconsistency to execute arbitrary blocks without credit consumption, effectively obtaining unlimited computational resources. The flaw is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) and CWE-841 (Improper Enforcement of Behavioral Workflow), indicating both resource management and workflow enforcement failures. The fix in version 0.6.59 presumably extends credit validation to all block execution paths or consolidates execution logic to ensure consistent policy enforcement.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade AutoGPT to version 0.6.59 or later to obtain the credit enforcement fix
- If immediate patching is not feasible, implement API gateway or WAF rules to monitor and rate-limit requests to /api/blocks/{block_id}/execute
- Review application logs for anomalous block execution patterns that may indicate exploitation
- Audit user account activity for unexpected credit balance discrepancies or high-volume block executions
- Verify that alternative execution paths (graph execution via manager.py) maintain proper credit deduction behavior post-upgrade
- Consider implementing additional server-side credit validation as a defense-in-depth measure for all block execution entry points
Evidence notes
CVE description confirms credit check exists in manager.py graph execution path but is bypassed via direct API calls to /api/blocks/{block_id}/execute. CVSS 5.4 (MEDIUM) with AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L vector indicates network-accessible, low attack complexity, low privileges required, no user interaction, with integrity and availability impacts. CWE-770 (Allocation of Resources Without Limits or Throttling) and CWE-841 (Improper Enforcement of Behavioral Workflow) cited. GitHub Security Advisory GHSA-8pjg-mfqm-vrhr provides vendor acknowledgment.
Official resources
-
CVE-2026-45023 CVE record
CVE.org
-
CVE-2026-45023 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-28