CVE-2026-33234
Description
AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. In versions 0.1.0 through 0.6.51, SendEmailBlock in autogpt_platform/backend/backend/blocks/email_block.py accepts a user-supplied smtp_server (string) and smtp_port (integer) as per-execution block inputs, then passes them directly to Python's smtplib.SMTP() to open a raw TCP connection with no IP address validation. This completely bypasses the platform's hardened SSRF protections in backend/util/request.py — the validate_url_host() function and BLOCKED_IP_NETWORKS blocklist that every other block uses to block connections to private, loopback, link-local, and cloud metadata addresses. An authenticated user on a shared AutoGPT deployment can use this to perform non-blind internal network port scanning and service fingerprinting: smtplib reads the target's TCP banner on connect and embeds it in the exception message, which is persisted as user-visible block output via the execution framework. This issue has been fixed in version 0.6.52.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SendEmailBlock in AutoGPT 0.1.0–0.6.51 allows SSRF via user-controlled SMTP server, bypassing IP blocklist, enabling internal network port scanning.
Vulnerability
In AutoGPT versions 0.1.0 through 0.6.51, the SendEmailBlock in autogpt_platform/backend/backend/blocks/email_block.py accepts user-supplied smtp_server (string) and smtp_port (integer) as per-execution block inputs. These values are passed directly to Python's smtplib.SMTP() without any IP address validation, completely bypassing the platform's hardened SSRF protections (validate_url_host() and BLOCKED_IP_NETWORKS blocklist) that every other block uses [1]. The SMTPConfig is a plain Pydantic BaseModel embedded inside SendEmailBlock.Input, making it a per-execution user input rather than a platform credential [1].
Exploitation
An authenticated user on a shared AutoGPT deployment can exploit this by providing a malicious smtp_server (e.g., a private, loopback, link-local, or cloud metadata address) and an arbitrary smtp_port. The smtplib.SMTP() call opens a raw TCP connection to the specified target; upon connection, smtplib reads the target's TCP banner and embeds it in the exception message. This exception message is persisted as user-visible block output via the execution framework, allowing non-blind internal network port scanning and service fingerprinting [1].
Impact
An attacker can perform internal network reconnaissance, identifying open ports and service banners on hosts that are otherwise protected from external access. This information disclosure can reveal the presence of internal services (e.g., databases, cloud metadata endpoints) and aid in further attacks. No code execution or data modification is achieved directly, but the leaked information may be used to escalate privileges or pivot within the network [1].
Mitigation
The issue has been fixed in version 0.6.52, released in March 2026 [2]. Users should upgrade to AutoGPT platform version 0.6.52 or later. No workaround is documented; the fix likely involves adding IP validation to the SendEmailBlock similar to other blocks. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: >=0.1.0, <=0.6.51
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.