> ESC
↑↓ navigate select esc close
← Achievements

CVE-2026-33232: AutoGPT Platform Unauthenticated DoS via Disk Exhaustion

📅 2026-03-18 📂 Vulnerability Discovery 2 min read CVSS 7.5
CVEDoSDisk ExhaustionAutoGPTFastAPIPython
CVSS
7.5 HIGH
👥Estimated Impact: 200,000+ customers
TL;DR:
AutoGPT Platform backend download endpoint leaves persistent temp files, allowing unauthenticated attackers to exhaust disk space and crash the service.

Summary

An unauthenticated Denial of Service (DoS) in the AutoGPT Platform backend allows any user to exhaust disk space by repeatedly downloading agent files. The public download_agent_file endpoint writes each response to a persistent temporary file and never deletes it, enabling attackers to fill /tmp and crash the service.

CVE ID: CVE-2026-33232
Advisory: GHSA-374w-2pxq-c9jp
Affected Versions: >= 0.4.2
Patched Version: 0.6.52
Component: autogpt_platform/backend/backend/api/features/store/routes.py

Vulnerability Details

The download endpoint generates a JSON payload for an agent and streams it from a temporary file:

# autogpt_platform/backend/backend/api/features/store/routes.py
with tempfile.NamedTemporaryFile(
    mode="w", suffix=".json", delete=False
) as tmp_file:
    tmp_file.write(backend.util.json.dumps(graph_data))
    tmp_file.flush()

    return fastapi.responses.FileResponse(
        tmp_file.name, filename=file_name, media_type="application/json"
    )

delete=False creates a permanent file on disk, and FastAPI's FileResponse does not clean it up after sending the response. Because the route is unauthenticated, an attacker can repeatedly request the endpoint to accumulate thousands of files in the system temp directory until the host runs out of space.

Proof of Concept

  1. Obtain a valid store_listing_version_id (publicly enumerable via /agents).
  2. Flood the download endpoint:
while true; do
  curl -s http://localhost:8000/download/agents/<store_listing_version_id> >/dev/null
done
  1. Watch the growing number of persistent files:
ls -l /tmp/agent_*.json | wc -l
df -h /tmp

Disk usage rises continuously until /tmp is full, causing application and database failures.

Impact

  • Full backend outage as disk space is exhausted
  • Secondary failures (database writes, logging, container crashes) once the filesystem reports No space left on device
  • Exploitable by any unauthenticated user over the public endpoint

Mitigations

  • Upgrade to AutoGPT Platform 0.6.52 or later.
  • If patching manually, avoid persistent temp files (e.g., return a JSONResponse, stream from memory, or attach a background task to delete the temp file after sending).

References