CVE-2026-45023: AutoGPT Credit Bypass in Block Execution API
AutoGPT versions before 0.6.59 contain a flaw in their API implementation that allows authenticated users to execute workflow blocks without consuming credits from their account balance. The vulnerability stems from an API endpoint that bypasses the credit-checking logic present elsewhere in the system, enabling users to run unlimited blocks at no cost. This is a business model violation rather than a critical system compromise, but it undermines the platform's monetization and resource management controls.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
- Weaknesses (CWE)
- CWE-770, CWE-841
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.59, POST /api/blocks/{block_id}/execute endpoint executes blocks without consuming any credits, regardless of the user's balance. The credit check that exists in the graph execution path (manager.py) is never reached when blocks are called directly via the external API, allowing unlimited free execution of all blocks. This vulnerability is fixed in 0.6.59.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The POST /api/blocks/{block_id}/execute endpoint in AutoGPT fails to enforce credit consumption checks on direct API calls. While the graph execution path in manager.py contains valid credit validation logic, direct block execution via the external API circumvents this check entirely. The vulnerability affects CWE-770 (allocation of resources without limits or throttling) and CWE-841 (improper enforcement of behavioral workflow), allowing authenticated attackers to execute arbitrary blocks without depleting their credit balance. The issue is resolved in version 0.6.59.
Business impact
Organizations operating AutoGPT deployments face potential revenue leakage and unfair consumption patterns. Users with valid credentials can execute unlimited AI agent workflows without incurring charges, distorting usage metrics and cost allocation. For multi-tenant deployments or SaaS offerings, this creates cross-tenant fairness issues and undermines billing integrity. The abuse window depends on deployment model—self-hosted instances may not notice the impact, while public or metered instances face direct financial exposure.
Affected systems
AutoGPT versions prior to 0.6.59 are vulnerable. The issue specifically impacts the external API surface when blocks are invoked directly; internal workflow execution via the graph execution path is unaffected. Any AutoGPT deployment accepting API calls to /api/blocks/{block_id}/execute is exposed. Users must verify their current version against official AutoGPT release notes.
Exploitability
The vulnerability requires valid authentication (PR:L in CVSS vector), so unauthenticated remote exploitation is not possible. Any authenticated user can trigger the flaw by repeatedly calling the affected endpoint with their own or accessible block IDs. No special privileges, unusual configurations, or user interaction are required. The attack surface is the public-facing API, making it easily discoverable and repeatable by any user with API credentials.
Remediation
Upgrade AutoGPT to version 0.6.59 or later. Administrators should review deployment pipelines to ensure the patch is applied across all instances. For organizations unable to patch immediately, implement network-level controls to restrict direct access to /api/blocks/{block_id}/execute or enforce additional middleware-based credit validation until patching is complete.
Patch guidance
Apply AutoGPT version 0.6.59 through your standard deployment and update mechanisms. Verify the version post-deployment using official version endpoints or admin dashboards. If running in a Kubernetes or container environment, update the image tag and redeploy. If running self-hosted on virtual machines, follow the official upgrade documentation from the AutoGPT project. Backward compatibility should be verified in staging before production rollout.
Detection guidance
Monitor API logs for anomalous patterns in /api/blocks/{block_id}/execute calls—specifically, high-frequency invocations from single users or IPs without corresponding credit deductions. Cross-reference API call volume with actual credit usage by user; significant mismatches indicate potential exploitation. Audit block execution logs to identify users executing blocks they would not normally afford under billing constraints. Track version numbers across all AutoGPT instances to identify lagging deployments.
Why prioritize this
This vulnerability merits timely but not emergency patching. The CVSS score of 5.4 reflects a medium-severity issue with limited scope: integrity (billing fairness) and availability (resource fairness) are compromised, but confidentiality is unaffected. The requirement for authentication significantly reduces blast radius. However, the ease of exploitation and direct financial impact on SaaS or metered offerings justifies prioritization within 30 days for exposed deployments.
Risk score, explained
CVSS 5.4 (Medium) reflects: (1) network-accessible endpoint (AV:N), low attack complexity requiring only API knowledge (AC:L), (2) authentication required (PR:L) limiting spontaneous abuse, (3) no user interaction needed (UI:N), (4) single-system scope (S:U), (5) no confidentiality loss (C:N), but (6) integrity and availability impacts via billing and resource fairness violations (I:L/A:L). The score is appropriate for a resource-bypass flaw with monetization implications but no lateral escalation or data breach potential.
Frequently asked questions
Who can exploit this vulnerability?
Any user with valid AutoGPT API credentials. Exploitation does not require elevated privileges or special roles—standard user credentials are sufficient. Internal users, external API consumers, or compromised low-privilege accounts can all trigger the flaw.
Does this vulnerability expose customer data or allow lateral movement?
No. The flaw is scoped to credit consumption bypass and does not grant access to other users' data, blocks, or workflows. It is a business model violation, not an access control breach or data exfiltration vector.
Can this be exploited before authentication is obtained?
No. The endpoint requires valid authentication (PR:L). Attackers must first obtain legitimate credentials through phishing, credential reuse, or account compromise. Once authenticated, no further barriers exist.
What versions of AutoGPT are affected?
All versions prior to 0.6.59 are vulnerable. Users should verify their current version and apply the patch immediately if running an earlier release. Consult official AutoGPT release notes to confirm your version number.
This analysis is provided for informational purposes by SEC.co and does not constitute professional security advice. Organizations should verify all claims against official vendor advisories and conduct their own risk assessments. CVSS scores, affected versions, and patch information are current as of the date of publication and should be revalidated against official AutoGPT release notes and security communications. Testing and deployment of patches should occur in controlled staging environments before production rollout. SEC.co assumes no liability for deployment decisions or operational outcomes arising from this analysis. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10533MEDIUMOpenShift ResourceQuota Bypass Leads to API Server DoS
- CVE-2026-36499MEDIUMOpen vSwitch Thread Allocation DoS Vulnerability
- CVE-2026-40898MEDIUMquic-go HTTP/3 Trailer Memory Exhaustion DoS
- CVE-2026-40990MEDIUMSpring Cloud Function OOM Denial-of-Service Vulnerability
- CVE-2026-44545MEDIUMDaphne WebSocket Denial of Service via Unlimited Payload Size
- CVE-2026-45078MEDIUMSynapse Denial-of-Service via CPU Exhaustion (v1.152.1+)
- CVE-2026-45292MEDIUMOpenTelemetry Java Baggage DoS Vulnerability – Patch & Detection Guide
- CVE-2026-45352MEDIUMcpp-httplib Negative Chunk Size Denial of Service