AutoGPT Insecure Deserialization (CVE-2026-33233) Leads to RCE

/HIGH /CVSS 7.6/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityinsecure-deserializationcwe-94cwe-345cwe-502
AutoGPT Insecure Deserialization (CVE-2026-33233) Leads to RCE

The National Vulnerability Database (NVD) has reported CVE-2026-33233, a critical insecure deserialization vulnerability affecting AutoGPT versions 0.6.34 through 0.6.51. AutoGPT, a platform for managing continuous AI agents, is susceptible to remote code execution (RCE) due to its Redis cache handling. The backend deserializes Redis cache bytes using pickle.loads without any integrity or authenticity checks.

This means if an attacker can poison a shared-cache key in Redis, they can execute arbitrary commands within the backend container. The NVD highlights that the write path serializes values with pickle.dumps into Redis, and the read path blindly invokes pickle.loads on those bytes. The absence of HMAC/signature validation or strict schema validation on deserialization creates a direct path for compromise, impacting confidentiality, integrity, and availability. The issue has been fixed in version 0.6.52.

Rated with a CVSS score of 7.6 (HIGH), this vulnerability is a prime example of why robust input validation and secure deserialization practices are non-negotiable. Defenders need to recognize that shared cache environments, while efficient, present significant attack surfaces if not properly secured. Blind deserialization is a gift to attackers seeking to achieve RCE.

What This Means For You

  • If your organization utilizes AutoGPT, immediately verify your deployed version. If you are running any version between 0.6.34 and 0.6.51, you are vulnerable to remote code execution. Patch to version 0.6.52 or newer without delay. Furthermore, audit your Redis configurations and access controls to prevent cache poisoning attacks, as this is the critical precursor for exploiting CVE-2026-33233.

Related ATT&CK Techniques

T1505.003 Server Software Component: Insecure Deserialization Initial Access T1059.004 Command and Scripting Interpreter: Python Execution

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1505.003 Persistence

CVE-2026-33233 - AutoGPT Insecure Deserialization via Redis Pickle

Sigma YAML — free preview 
title: CVE-2026-33233 - AutoGPT Insecure Deserialization via Redis Pickle
id: scw-2026-05-19-ai-1
status: experimental
level: critical
description: |
  Detects the use of pickle.loads on Redis data within the AutoGPT backend, indicative of the insecure deserialization vulnerability (CVE-2026-33233). This rule specifically targets the Python interpreter executing pickle.loads in conjunction with Redis, which is the core mechanism exploited in this vulnerability for arbitrary command execution.
author: SCW Feed Engine (AI-generated)
date: 2026-05-19
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-33233/
tags:
  - attack.persistence
  - attack.t1505.003
logsource:
    category: process_creation
detection:
  selection:
      Image|startswith:
          - 'C:\Python'
      CommandLine|contains:
          - 'pickle.loads'
      CommandLine|contains:
          - 'redis'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-33233 Vulnerability CVE-2026-33233

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 19, 2026 at 05:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-47308 — Samsung Open Source Walrus Null Pointer Dereference

CVE-2026-47308 — NULL pointer dereference vulnerability in Samsung Open Source Walrus allows Pointer Manipulation. This issue affects Walrus: f339b8ee4ea701772e8ae640b3d1b12ac02b1ae9.

vulnerabilityCVEmedium-severitynull-pointer-dereferencecwe-476
/SCW Vulnerability Desk /MEDIUM /5.5 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-32994 — The /api/v1/autotranslate.translateMessage endpoint in

CVE-2026-32994 — The /api/v1/autotranslate.translateMessage endpoint in versions <8.5.0, <8.4.2, <8.3.4, <8.2.4, <8.1.5, <8.0.6, <7.13.8, and <7.10.12 allows any authenticated user to retrieve the full content...

vulnerabilityCVEmedium-severitycwe-284
/SCW Vulnerability Desk /MEDIUM /5.3 /⚑ 2 IOCs /⚙ 3 Sigma

CVE-2026-47307 — Samsung Open Source Walrus Denial of Service

CVE-2026-47307 — NULL pointer dereference vulnerability in Samsung Open Source Walrus allows an attacker to cause a denial of service via a crafted WebAssembly module...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-476
/SCW Vulnerability Desk /MEDIUM /5.5 /⚑ 2 IOCs /⚙ 2 Sigma