Metagpt — CraftedSignal Threat Feed

MetaGPT Bash.run Command Injection Vulnerability (CVE-2026-5974)

hello@craftedsignal.io — Thu, 09 Apr 2026 20:16:29 +0000

A critical command injection vulnerability, tracked as CVE-2026-5974, has been identified in FoundationAgents MetaGPT up to version 0.8.1. The vulnerability resides within the Bash.run function located in the metagpt/tools/libs/terminal.py library. An attacker can exploit this flaw by injecting malicious commands into the Bash.run function, leading to arbitrary OS command execution on the target system. The vulnerability is remotely exploitable, posing a significant risk. Although the developers were notified via a pull request, no patch has been released as of the publication of this brief. This vulnerability could be exploited to gain unauthorized access, escalate privileges, or compromise the entire system.

Attack Chain

An attacker identifies a MetaGPT instance running version 0.8.1 or earlier.
The attacker crafts a malicious input string containing OS commands.
This malicious string is passed to the Bash.run function in metagpt/tools/libs/terminal.py.
Due to insufficient input validation, the injected commands are not properly neutralized.
The Bash.run function executes the injected OS commands using the underlying operating system’s shell.
The attacker gains the ability to execute arbitrary code on the server.
The attacker could then install malware, create new user accounts, or exfiltrate sensitive data.

Impact

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary operating system commands on the server hosting the vulnerable MetaGPT instance. This could lead to complete system compromise, including data theft, malware installation, and denial-of-service attacks. Due to the nature of command injection, the impact is highly dependent on the privileges of the user account running the MetaGPT application.

Recommendation

Apply input validation and sanitization to the Bash.run function in the metagpt/tools/libs/terminal.py library to prevent command injection (CVE-2026-5974).
Monitor process creations for unusual commands executed by the MetaGPT application (see Sigma rule “Detect Suspicious MetaGPT Bash.run Execution”).
Deploy a web application firewall (WAF) to filter out potentially malicious payloads being sent to the MetaGPT application.

MetaGPT OS Command Injection Vulnerability (CVE-2026-5972)

hello@craftedsignal.io — Thu, 09 Apr 2026 20:16:28 +0000

CVE-2026-5972 describes a critical OS command injection vulnerability affecting FoundationAgents MetaGPT versions up to 0.8.1. The vulnerability resides in the Terminal.run_command function within the metagpt/tools/libs/terminal.py file. This flaw allows remote attackers to inject and execute arbitrary operating system commands on the affected system. The vulnerability is remotely exploitable, meaning that attackers can trigger it over a network without requiring local access. Public exploits for this vulnerability are available, increasing the risk of widespread exploitation. The patch identified as d04ffc8dc67903e8b327f78ec121df5e190ffc7b addresses this vulnerability and upgrading to a patched version is highly recommended.

Attack Chain

An attacker identifies a vulnerable MetaGPT instance running a version <= 0.8.1.
The attacker crafts a malicious request targeting the Terminal.run_command function.
The malicious request contains an OS command injection payload within the input parameters expected by Terminal.run_command.
MetaGPT processes the request, passing the attacker-controlled input to the underlying operating system’s command interpreter without proper sanitization.
The operating system executes the injected command as part of the MetaGPT process, granting the attacker code execution within the server environment.
The attacker leverages the initial foothold to escalate privileges, potentially gaining root access or compromising other services on the system.
The attacker may then install malware, establish persistence, or exfiltrate sensitive data.
The attacker achieves their final objective, which could include data theft, denial of service, or complete system compromise.

Impact

Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected system. This can lead to complete system compromise, including data theft, malware installation, and denial of service. Given the publicly available exploit, unpatched MetaGPT instances are at immediate risk. The vulnerability has a CVSS v3.1 score of 7.3, indicating a high level of severity. The number of victims and sectors targeted is currently unknown, but given the nature of the vulnerability, any organization using MetaGPT is potentially at risk.

Recommendation

Apply the patch d04ffc8dc67903e8b327f78ec121df5e190ffc7b provided by FoundationAgents to remediate the vulnerability.
Monitor web server logs for suspicious requests targeting the MetaGPT application, specifically those containing command injection attempts (cs-uri-query, cs-method, sc-status).
Implement the provided Sigma rule to detect command execution originating from the MetaGPT application (logsource).
Review network traffic for unusual outbound connections originating from MetaGPT servers, which could indicate successful exploitation and malware installation (category: network_connection).
Enable and review process creation logs on MetaGPT servers to identify any unexpected child processes spawned by the MetaGPT application, as this could indicate command injection exploitation (category: process_creation).

MetaGPT Code Injection Vulnerability (CVE-2026-5970)

hello@craftedsignal.io — Thu, 09 Apr 2026 18:17:04 +0000

CVE-2026-5970 is a critical vulnerability affecting FoundationAgents MetaGPT, a framework for multi-agent systems, up to version 0.8.1. The vulnerability resides within the check_solution function of the HumanEvalBenchmark/MBPPBenchmark component. This flaw enables a remote attacker to inject and execute arbitrary code by manipulating input parameters. The vulnerability has been publicly disclosed and exploits are readily available. The maintainers of the MetaGPT project were notified via pull request but have not yet addressed the issue, increasing the risk to users of affected versions. Successful exploitation could lead to complete system compromise.

Attack Chain

The attacker identifies a vulnerable MetaGPT instance running a version <= 0.8.1.
The attacker crafts a malicious input designed to exploit the check_solution function within the HumanEvalBenchmark/MBPPBenchmark component.
The attacker sends the crafted input to the MetaGPT instance, potentially via a network request or other remote interface.
The check_solution function processes the malicious input without proper sanitization.
The lack of input sanitization allows the attacker to inject arbitrary code.
The injected code is then executed within the context of the MetaGPT application.
Depending on the privileges of the MetaGPT process, the attacker can gain control of the system or access sensitive data.
The attacker may use this initial access to pivot to other systems within the network, install malware, or exfiltrate data.

Impact

Successful exploitation of CVE-2026-5970 allows remote attackers to execute arbitrary code on systems running vulnerable versions of FoundationAgents MetaGPT. This can lead to complete system compromise, data breaches, and further malicious activities within the compromised environment. Given the nature of MetaGPT, this could potentially affect development environments, CI/CD pipelines, or even production systems where the framework is utilized, leading to significant financial and reputational damage.

Recommendation

Upgrade to a patched version of MetaGPT as soon as one becomes available.
Monitor network traffic for suspicious activity targeting MetaGPT instances, using network connection logs.
Implement input validation and sanitization measures within the check_solution function (if possible as a temporary mitigation) to prevent code injection.
Deploy the Sigma rule below to detect attempts to exploit this vulnerability based on suspicious process creation related to MetaGPT.
Review and restrict network access to MetaGPT instances to minimize the attack surface.

FoundationAgents MetaGPT Code Injection Vulnerability (CVE-2026-5971)

hello@craftedsignal.io — Thu, 09 Apr 2026 18:17:04 +0000

A code injection vulnerability, identified as CVE-2026-5971, has been discovered in FoundationAgents MetaGPT versions up to 0.8.1. The vulnerability resides in the ActionNode.xml_fill function within the metagpt/actions/action_node.py file, specifically related to the XML Handler component. This flaw allows a remote attacker to inject malicious code by exploiting improper neutralization of directives in dynamically evaluated code. A proof-of-concept exploit is publicly available, increasing the likelihood of exploitation. The project maintainers were notified of the vulnerability via a pull request but have not yet addressed the issue. This poses a significant risk to systems using vulnerable versions of MetaGPT, especially those exposed to untrusted input.

Attack Chain

An attacker identifies a MetaGPT instance running a vulnerable version (<= 0.8.1).
The attacker crafts malicious XML input designed to exploit the ActionNode.xml_fill function.
The attacker sends the malicious XML to the MetaGPT instance through a network request, likely via an API endpoint.
The ActionNode.xml_fill function processes the malicious XML, failing to properly neutralize directives.
The injected code is dynamically evaluated within the MetaGPT environment.
The attacker gains arbitrary code execution within the MetaGPT process, potentially escalating privileges.
The attacker leverages the code execution to compromise the system, potentially gaining access to sensitive data.
The attacker exfiltrates sensitive data or causes other damage based on their objectives.

Impact

Successful exploitation of CVE-2026-5971 can lead to arbitrary code execution on systems running vulnerable versions of FoundationAgents MetaGPT (<= 0.8.1). This could allow attackers to steal sensitive information, modify system configurations, install malware, or disrupt services. The availability of a public exploit increases the likelihood of widespread attacks targeting vulnerable systems. The specific number of potential victims and targeted sectors are currently unknown, but any system running MetaGPT and processing potentially malicious XML input is at risk.

Recommendation

Apply any available patches or updates for FoundationAgents MetaGPT to address CVE-2026-5971 as soon as they are released.
Implement input validation and sanitization measures to prevent malicious XML from being processed by the ActionNode.xml_fill function.
Monitor web server logs for suspicious activity related to XML processing, such as unusual requests or errors. Deploy the Sigma rule Detect MetaGPT XML Injection Attempt to identify potential exploit attempts based on HTTP request characteristics.
Enable process monitoring to detect suspicious processes spawned by MetaGPT, especially those with network connections. Deploy the Sigma rule Detect MetaGPT Suspicious Child Processes to identify potential post-exploitation activity.