AutoGPT Credit System Bypass Vulnerability in Workflow Automation Platform

A vulnerability in AutoGPT, prior to version 0.6.59, allows authenticated users to execute blocks via the external API without deducting any credits. This issue arises because the credit check is only applied during normal graph execution, leaving a gap when blocks are executed directly through the API. As a result, users can exploit this to run any block for free, bypassing the platform's billing and rate-limiting mechanisms. This vulnerability is particularly impactful when combined with another reported issue that bypasses human oversight, allowing sensitive actions to be executed without cost or approval.

Impact

Exploitation of this vulnerability enables any authenticated user to execute blocks without credit consumption, effectively bypassing the platform's billing and rate-limiting systems. This allows free use of AI/LLM blocks, such as GPT-4 and Claude. When combined with a separate vulnerability that bypasses human oversight, it could lead to the free execution of sensitive actions without any supervision.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/api/blocks/{block_id}/execute' endpoint. This can be done using an authenticated account with a zero credit balance. The credit check, which is normally enforced during graph execution, is bypassed when blocks are executed directly through the external API. As a result, credits are not deducted, even though the block execution is attempted.

Remediation

Users can update to AutoGPT version 0.6.59 or later, where this vulnerability has been fixed.