{"id":"CVE-2026-56663","summary":"AutoGPT: SSRF-to-RCE Chain in `SendWebRequestBlock` via IP validation bypass and internal `pg-meta` access","details":"AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.52, an authenticated user can bypass the SSRF / private-IP protections in SendWebRequestBlock and reach internal network services. _is_ip_blocked() in backend/backend/util/request.py does not normalize IPv4-mapped IPv6 addresses before checking resolved IPs against the blocked IPv4 ranges, and does not block special-use ranges such as 100.64.0.0/10 (CGNAT, RFC 6598). A hostname that resolves to an IPv4-mapped IPv6 address therefore passes validation and the request reaches the embedded internal IPv4 endpoint. This affects all AutoGPT Platform deployments. This vulnerability is fixed in 0.6.52.","aliases":["GHSA-8qc5-rhmg-r6r6"],"modified":"2026-07-15T01:49:12.500081261Z","published":"2026-06-26T16:04:54.364Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/56xxx/CVE-2026-56663.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-918"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/56xxx/CVE-2026-56663.json"},{"type":"ADVISORY","url":"https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-8qc5-rhmg-r6r6"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-56663"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/significant-gravitas/autogpt","events":[{"introduced":"0"},{"fixed":"f01f6686744e1913334641bd2242fc0ed2a1bbc6"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"0.6.52"}],"source":"AFFECTED_FIELD"}}],"versions":["autogpt-platform-beta-v0.6.50","autogpt-platform-beta-v0.6.51","autogpt-platform-beta-v0.6.49","autogpt-platform-beta-v0.6.48","autogpt-platform-beta-v0.6.47","autogpt-platform-beta-v0.6.46","autogpt-platform-beta-v0.6.43","autogpt-platform-beta-v0.6.42","autogpt-platform-beta-v0.6.41","autogpt-platform-beta-v0.6.40","autogpt-platform-beta-v0.6.39","autogpt-platform-beta-v0.6.38","autogpt-platform-beta-v0.6.37","autogpt-platform-beta-v0.6.36","autogpt-platform-beta-v0.6.35","autogpt-platform-beta-v0.6.34","autogpt-platform-beta-v0.6.33","autogpt-platform-beta-v0.6.32","autogpt-platform-beta-v0.6.31","autogpt-platform-beta-v0.6.30","autogpt-platform-beta-v0.6.29","autogpt-platform-beta-v0.6.28","autogpt-platform-beta-v0.6.26","autogpt-platform-beta-v0.6.22","autogpt-platform-beta-v0.6.21","autogpt-platform-beta-v0.6.20","autogpt-platform-beta-v0.6.19","autogpt-platform-beta-v0.6.18","autogpt-platform-beta-v0.6.17","autogpt-platform-beta-v0.6.16","autogpt-platform-beta-v0.6.15","autogpt-platform-beta-v0.6.14","autogpt-platform-beta-v0.6.13","autogpt-platform-beta-v0.6.12","autogpt-platform-beta-v0.6.11","autogpt-platform-beta-v0.6.10","autogpt-platform-beta-v0.6.9","autogpt-platform-beta-v0.6.8","autogpt-platform-beta-v0.6.7","autogpt-platform-beta-v0.6.6","autogpt-platform-beta-v0.6.5","autogpt-platform-beta-v0.6.4","autogpt-platform-beta-v0.6.2","autogpt-platform-beta-v0.6.1","autogpt-platform-beta-v0.6.0","autogpt-platform-beta-v0.5.1","autogpt-platform-beta-v0.5.0","autogpt-platform-beta-v0.4.11","autogpt-platform-beta-v0.4.10","autogpt-platform-beta-v0.4.9","autogpt-platform-beta-v0.4.8","autogpt-platform-beta-v0.4.5","autogpt-platform-beta-v0.4.4","autogpt-platform-beta-v0.4.3","autogpt-platform-beta-v0.4.2","autogpt-platform-beta-v0.4.1","autogpt-platform-beta-v0.4.0","autogpt-platform-beta-v0.3.4","autogpt-platform-beta-v0.3.3","autogpt-platform-beta-v0.3.2","autogpt-platform-beta-v0.2.2","agpt-platform-beta-v0.2.0","agpt-platform-beta-v0.1.1","agpt-platform-beta-v0.1.0","agbenchmark-v0.0.10","v0.1.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-56663.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"}]}