VYPR
← All advisories
Critical severityNVD Advisory· Published Sep 11, 2024· Updated Sep 11, 2024

Shell Command Denylist Bypass in significant-gravitas/autogpt

CVE-2024-6091

Description

AutoGPT 0.5.1 allows shell command denylist bypass by using alternate path forms like '/bin/./whoami'.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

AutoGPT 0.5.1 allows shell command denylist bypass by using alternate path forms like '/bin/./whoami'.

A security vulnerability in significant-gravitas/autogpt version 0.5.1 allows an attacker to bypass the shell commands denylist settings [1][2]. The issue occurs when the denylist is configured to block specific commands, such as 'whoami' and '/bin/whoami'. An attacker can circumvent this restriction by executing commands with a modified path, such as '/bin/./whoami', which is not recognized by the denylist [2].

To exploit this vulnerability, an attacker only needs to craft shell commands using benign path variations like inserting './' into the command path. No special privileges beyond the ability to issue shell commands to the agent are required. The attacker can achieve execution of arbitrary blocked commands through this path manipulation technique [2].

The impact is that an attacker can execute arbitrary shell commands that were intended to be blocked by the denylist. This can lead to unauthorized actions on the host system depending on the permissions the agent runs with [2]. The AutoGPT project documentation now explicitly states that the shell configuration components are not intended for security and recommends using more appropriate sandboxing in production environments [3].

Mitigation for users who need stronger isolation is to avoid relying on the denylist for security. The project has added documentation clarifying that the shell command features are "for convenience only" and not secure. Users are advised to implement proper sandboxing, such as using Docker containers with restricted permissions, to securely constrain agent shell execution [3].

References
  1. GitHub - Significant-Gravitas/AutoGPT: AutoGPT is the vision of accessible AI for everyone, to use and to build on. Our mission is to provide the tools, so that you can focus on what matters.
  2. NVD - CVE-2024-6091
  3. feat: document the use of isolation better (#8028) · Significant-Gravitas/AutoGPT@ef69135

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
agptPyPI
<= 0.5.1

Affected products

2
  • ghsa-coords
    pkg:pypi/agpt
    Range: <= 0.5.1
  • significant-gravitas/significant-gravitas/autogptv5
    Range: unspecified

Patches

1
ef691359b774

feat: document the use of isolation better (#8028)

https://github.com/Significant-Gravitas/AutoGPTNicholas TindleSep 9, 2024via ghsa
commit
1 file changed · +2 0
  • docs/content/forge/components/built-in-components.md+2 0 modified
    @@ -69,6 +69,8 @@ Lets the agent execute non-interactive Shell commands and Python code. Python ex
 | `shell_denylist`         | List of prohibited shell commands                    | `List[str]`                 | `[]`              |
 | `docker_container_name`  | Name of the Docker container used for code execution | `str`                       | `"agent_sandbox"` |
 
+All shell command configurations are expected to be for convience only. This component is not secure and should not be used in production environments. It is recommended to use more appropriate sandboxing.
+
 ### CommandProvider
 
 - `execute_shell` execute shell command

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.