CVE-2026-45023
Description
AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.59, POST /api/blocks/{block_id}/execute endpoint executes blocks without consuming any credits, regardless of the user's balance. The credit check that exists in the graph execution path (manager.py) is never reached when blocks are called directly via the external API, allowing unlimited free execution of all blocks. This vulnerability is fixed in 0.6.59.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
AutoGPT prior to 0.6.59 allows unlimited free block execution via direct API call, bypassing the credit check.
Vulnerability
In AutoGPT versions prior to 0.6.59, the POST /api/blocks/{block_id}/execute endpoint executes blocks without performing any credit consumption check. The credit balance verification exists only in the graph execution path (manager.py), which is not reached when blocks are invoked directly via the external API. This allows any authenticated user to execute arbitrary blocks regardless of their credit balance.
Exploitation
An attacker with a valid user account can send a POST request to /api/blocks/{block_id}/execute with the desired block ID and input data. No special privileges or credit balance are required. The endpoint directly executes the block without checking or deducting credits, as confirmed by static code analysis [1].
Impact
Successful exploitation enables unlimited free execution of all blocks, effectively bypassing the platform's credit-based monetization system. This can lead to resource exhaustion, denial of service through excessive usage, or financial loss for the service provider.
Mitigation
The vulnerability is fixed in AutoGPT version 0.6.59. Users should upgrade to this version or later. No workarounds are available for earlier versions.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<0.6.59+ 1 more
- (no CPE)range: <0.6.59
- (no CPE)range: <0.6.59
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing credit balance check in the external API block execution endpoint allows bypass of the platform's billing and rate-limiting mechanism."
Attack vector
An authenticated attacker sends a POST request to `/api/blocks/{block_id}/execute` with valid block input. The external API handler in `routes.py` executes the block directly via `obj.execute(data)` without consulting the credit system [ref_id=1]. Because the credit check lives only in the graph execution path (`manager.py`), it is completely bypassed, allowing unlimited free execution of any block regardless of the user's credit balance [ref_id=1].
Affected code
The vulnerability is in `autogpt_platform/backend/backend/api/external/v1/routes.py` (lines 79–94), where the `POST /api/blocks/{block_id}/execute` endpoint calls `obj.execute(data)` directly without any credit check [ref_id=1]. The credit balance check exists only in `autogpt_platform/backend/backend/executor/manager.py` inside `execute_graph()`, which is never reached when blocks are called via the external API [ref_id=1].
What the fix does
The advisory recommends adding a credit balance check in `routes.py` before block execution: fetch the user's credit balance via `get_user_credit_balance(auth.user_id)` and raise an HTTP 402 error if the balance is zero or below [ref_id=1]. No patch diff is provided in the bundle, but the fix is described as applying the same credit enforcement that already exists in `manager.py` to the external API endpoint [ref_id=1].
Preconditions
- authAttacker must be an authenticated user of the AutoGPT platform
- inputAttacker sends a POST request to /api/blocks/{block_id}/execute with a valid block ID and input payload
- networkNo network-level restrictions block access to the API endpoint
Reproduction
1. Authenticate as a user with zero or low credit balance on an AutoGPT instance (e.g., master branch, Docker Desktop). 2. Send a POST request to `http://localhost:3000/api/proxy/api/blocks/{block_id}/execute` with `Content-Type: application/json` and a valid block input body. 3. Observe that the block execution is attempted (HTTP 500 from `run()`) and that credits are not deducted (balance remains unchanged) [ref_id=1].
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.