CVE-2026-33233
Description
AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. In versions 0.6.34 through 0.6.51, the backend deserializes Redis cache bytes using pickle.loads without integrity/authenticity checks. The write path serializes values with pickle.dumps(...) into Redis and the read path blindly invokes pickle.loads(...) on bytes with no HMAC/signature or strict schema validation gating deserialization. If an attacker can poison a shared-cache key in Redis, arbitrary command execution is possible in the backend container context, affecting confidentiality, integrity, and availability. This issue has been fixed in version 0.6.52.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
AutoGPT 0.6.34–0.6.51 deserializes Redis cache bytes via pickle.loads without integrity checks, enabling RCE if an attacker poisons a shared-cache key.
Vulnerability
AutoGPT Platform versions 0.6.34 through 0.6.51 contain a critical deserialization flaw in the backend Redis cache handling [2]. The read path in backend/util/cache.py executes pickle.loads(cached_bytes) on bytes retrieved from Redis without HMAC, signature, or schema validation [2]. The write path stores values using pickle.dumps(…), so any key that can be poisoned will trigger arbitrary object deserialization upon the next read [2].
Exploitation
An attacker who can write to a shared Redis cache key—for example by exploiting another vulnerability, having network access to the Redis instance, or leveraging a misconfiguration—can store a malicious pickled payload. When the backend subsequently reads that key (e.g., via a @cached decorated function), it blindly deserializes the crafted bytes, executing arbitrary code within the backend container context [2]. A proof‑of‑concept provided by the vendor uses a PickleRCE class whose __reduce__ method executes an OS command, confirming the attack path works against the official Docker Compose stack [2].
Impact
Successful exploitation yields arbitrary command execution in the backend container, compromising the confidentiality, integrity, and availability of the AutoGPT instance [2]. The attacker gains the same privileges as the backend process, which can include access to secrets, stored agent data, and the ability to pivot to other services [2].
Mitigation
The issue is fixed in AutoGPT release autogpt-platform-beta-v0.6.52 [1][2]. Users running versions 0.6.34 through 0.6.51 should upgrade immediately. No workaround is provided for unpatched versions; if upgrade is not possible, strict network segmentation and access control for the Redis instance should be enforced to reduce the risk of cache poisoning [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: >=0.6.34, <=0.6.51
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.