CVE-2026-56663: CWE-918: Server-Side Request Forgery (SSRF) in Significant-Gravitas AutoGPT
AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.52, an authenticated user can bypass the SSRF / private-IP protections in SendWebRequestBlock and reach internal network services. _is_ip_blocked() in backend/backend/util/request.py does not normalize IPv4-mapped IPv6 addresses before checking resolved IPs against the blocked IPv4 ranges, and does not block special-use ranges such as 100.64.0.0/10 (CGNAT, RFC 6598). A hostname that resolves to an IPv4-mapped IPv6 address therefore passes validation and the request reaches the embedded internal IPv4 endpoint. This affects all AutoGPT Platform deployments. This vulnerability is fixed in 0.6.52.
AI Analysis
Technical Summary
CVE-2026-56663 is a CWE-918 SSRF vulnerability in AutoGPT before version 0.6.52. The vulnerability arises because the function _is_ip_blocked() in backend/backend/util/request.py does not normalize IPv4-mapped IPv6 addresses before checking them against blocked IPv4 ranges. Additionally, it fails to block special-use IP ranges such as 100.64.0.0/10 (CGNAT). As a result, a hostname resolving to an IPv4-mapped IPv6 address can bypass the SSRF protections and access internal IPv4 endpoints. This affects all deployments of the AutoGPT platform prior to 0.6.52.
Potential Impact
An authenticated user can exploit this vulnerability to bypass SSRF protections and access internal network services that should be inaccessible. This can lead to complete confidentiality, integrity, and availability compromise of the affected system, as indicated by the CVSS score of 8.5 with high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
Upgrade AutoGPT to version 0.6.52 or later, where this vulnerability is fixed. Since the vulnerability is resolved in this version, no additional mitigation steps are required beyond applying the official fix.
CVE-2026-56663: CWE-918: Server-Side Request Forgery (SSRF) in Significant-Gravitas AutoGPT
Description
AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.52, an authenticated user can bypass the SSRF / private-IP protections in SendWebRequestBlock and reach internal network services. _is_ip_blocked() in backend/backend/util/request.py does not normalize IPv4-mapped IPv6 addresses before checking resolved IPs against the blocked IPv4 ranges, and does not block special-use ranges such as 100.64.0.0/10 (CGNAT, RFC 6598). A hostname that resolves to an IPv4-mapped IPv6 address therefore passes validation and the request reaches the embedded internal IPv4 endpoint. This affects all AutoGPT Platform deployments. This vulnerability is fixed in 0.6.52.
CVSS v3.1
Score 8.5high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-56663 is a CWE-918 SSRF vulnerability in AutoGPT before version 0.6.52. The vulnerability arises because the function _is_ip_blocked() in backend/backend/util/request.py does not normalize IPv4-mapped IPv6 addresses before checking them against blocked IPv4 ranges. Additionally, it fails to block special-use IP ranges such as 100.64.0.0/10 (CGNAT). As a result, a hostname resolving to an IPv4-mapped IPv6 address can bypass the SSRF protections and access internal IPv4 endpoints. This affects all deployments of the AutoGPT platform prior to 0.6.52.
Potential Impact
An authenticated user can exploit this vulnerability to bypass SSRF protections and access internal network services that should be inaccessible. This can lead to complete confidentiality, integrity, and availability compromise of the affected system, as indicated by the CVSS score of 8.5 with high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
Upgrade AutoGPT to version 0.6.52 or later, where this vulnerability is fixed. Since the vulnerability is resolved in this version, no additional mitigation steps are required beyond applying the official fix.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-22T16:39:01.043Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3eae476e08203f7dc7e0d2
Added to database: 06/26/2026, 16:52:23 UTC
Last enriched: 06/26/2026, 17:06:51 UTC
Last updated: 06/27/2026, 14:36:59 UTC
Views: 13
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.