CVE-2026-33234— AutoGPT: SendEmailBlock's IP blocklist bypass allows SSRF via user-controlled SMTP server
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-33234
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
AutoGPT: SendEmailBlock's IP blocklist bypass allows SSRF via user-controlled SMTP server
Source: NVD (National Vulnerability Database)
Vulnerability Description
AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. In versions 0.1.0 through 0.6.51, SendEmailBlock in autogpt_platform/backend/backend/blocks/email_block.py accepts a user-supplied smtp_server (string) and smtp_port (integer) as per-execution block inputs, then passes them directly to Python's smtplib.SMTP() to open a raw TCP connection with no IP address validation. This completely bypasses the platform's hardened SSRF protections in backend/util/request.py — the validate_url_host() function and BLOCKED_IP_NETWORKS blocklist that every other block uses to block connections to private, loopback, link-local, and cloud metadata addresses. An authenticated user on a shared AutoGPT deployment can use this to perform non-blind internal network port scanning and service fingerprinting: smtplib reads the target's TCP banner on connect and embeds it in the exception message, which is persisted as user-visible block output via the execution framework. This issue has been fixed in version 0.6.52.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
服务端请求伪造(SSRF)
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Significant-Gravitas | AutoGPT | >= 0.1.0, < 0.6.52 | - |
II. Public POCs for CVE-2026-33234
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-33234
请登录查看更多情报信息。
Same Patch Batch · Significant-Gravitas · 2026-05-19 · 3 CVEs total
| CVE-2026-33233 | 7.6 HIGH | AutoGPT Platform: Remote Code Execution via Unsafe Pickle Deserialization of Redis Cache E |
| CVE-2026-33232 | 7.5 HIGH | AutoGPT: Unauthenticated DoS via Disk Space Exhaustion |
IV. Related Vulnerabilities
Same product: AutoGPT
- CVE-2026-33233
AutoGPT Platform: Remote Code Execution via Unsafe Pickle De - CVE-2026-33232
AutoGPT: Unauthenticated DoS via Disk Space Exhaustion - CVE-2026-30950
AutoGPT has Authenticated Session Hijacking via IDOR - CVE-2025-32425
AutoGPT has missing Docker log rotation on platform containe - CVE-2025-41023
Authentication bypass in AutoGPT de Thesamur
Same vendor: Significant-Gravitas
- CVE-2026-33233
AutoGPT Platform: Remote Code Execution via Unsafe Pickle De - CVE-2026-33232
AutoGPT: Unauthenticated DoS via Disk Space Exhaustion - CVE-2026-30950
AutoGPT has Authenticated Session Hijacking via IDOR - CVE-2025-32425
AutoGPT has missing Docker log rotation on platform containe - CVE-2026-26020
AutoGPT Affected by Remote Code Execution via Dynamic Module
Same weakness: CWE-918
- CVE-2026-31910
Apache OFBiz: Improper Input Validation in UI Factory Classe - CVE-2026-29226
Apache OFBiz: Low-Privilege SSRF in Content Component - CVE-2026-45245
Summarize < 0.15.1 Unauthorized Daemon Request via Untrusted - CVE-2026-6333
SSRF via Host Header Spoofing in Custom Slash Commands - CVE-2026-8768
vercel ai provider-utils download-blob.ts validateDownloadUr
V. Comments for CVE-2026-33234
No comments yet