What is the authoritative source for CVE-2026-24780?

CVE-2026-24780 (CVE-2026-24780) is catalogued in NVD + CISA KEV + FIRST EPSS and curated for EU compliance use cases by SQUR.

How severe is CVE-2026-24780?

CVE-2026-24780 carries a HIGH CVSS 8.8 severity rating.

CVE-2026-24780HIGH 8.8EPSS p62.6%

CVE-2026-24780CVE-2026-24780

Description

AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.44, AutoGPT Platform's block execution endpoints (both main web API and external API) allow executing blocks by UUID without checking the `disabled` flag. Any authenticated user can execute the disabled `BlockInstallationBlock`, which writes arbitrary Python code to the server filesystem and executes it via `__import__()`, achieving Remote Code Execution. In default self-hosted deployments where Supabase signup is enabled, an attacker can self-register; if signup is disabled (e.g., hosted), the attacker needs an existing account. autogpt-platform-beta-v0.6.44 contains a fix.

Scoring

CVSS 3.1	8.8 (HIGH)
Vector	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS	1.15% probability of exploitation · percentile 62.6% · 2026-06-18T12:00:27Z
Published	2026-01-29
Last modified	2026-02-17

Underlying weaknesses· 3

CWE-94 CWE-276 CWE-863

References

3

Type	Target	Confidence	Tier
Weakness	Incorrect Default Permissionscwe-276	0%	live
Weakness	Incorrect Authorizationcwe-863	0%	live
Weakness	Improper Control of Generation of Code ('Code Injection')cwe-94	0%	live