NIXER-2026-0001

AutoGPT: Unvalidated Tool Call Chain

Critical CVSS 9.1 Prompt Injection Patched
Affected Project
Discovered
June 1, 2026
Published
June 1, 2026
Author
Nixer Security Research

Summary

Nixer identified a critical prompt injection vulnerability in AutoGPT's tool execution loop. By chaining adversarial tool names and arguments within a single user message, an attacker can force the agent to perform unauthorized system operations.

Technical Details

AutoGPT's planner agent does not validate the origin or authorization of tool names embedded in multi-turn conversations. A malicious prompt can inject a crafted tool call sequence that bypasses authorization checks and executes arbitrary commands.

Impact

Any AI agent using AutoGPT's tool execution loop is vulnerable to arbitrary command injection, data exfiltration, and unauthorized file system access through prompt payloads.

Affected Versions

AutoGPT < 0.3.2 (confirmed vulnerable)

Remediation

Update to AutoGPT 0.3.2 or later. Apply tool name allowlisting in the planner, validate argument schemas before execution, and disable shell tool access from untrusted prompt sources.

Credit: Nixer Security Research — run your own security scan at nixer.polsia.app/try
Discovery method: Found by Nixer security scanner — run your own at https://nixer.polsia.app/try