CVE-2026-0761 in MetaGPT
Summary
by MITRE • 01/23/2026
Foundation Agents MetaGPT actionoutput_str_to_mapping Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foundation Agents MetaGPT. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the actionoutput_str_to_mapping function. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28124.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/25/2026
The CVE-2026-0761 vulnerability represents a critical code injection flaw within Foundation Agents MetaGPT software that enables remote code execution without authentication requirements. This vulnerability resides in the actionoutput_str_to_mapping function, which processes user-supplied input without adequate validation mechanisms. The flaw allows attackers to inject malicious code that gets executed within the Python runtime environment, potentially compromising the entire system. The vulnerability is particularly concerning because it operates entirely remotely and does not require any authentication credentials, making it accessible to any attacker with network access to the affected system.
The technical root cause of this vulnerability aligns with CWE-94, which describes "Improper Control of Generation of Code" or "Code Injection" vulnerabilities. The function fails to implement proper input sanitization or validation before executing user-provided strings as Python code. This design flaw creates an environment where attacker-controlled data can be interpreted and executed as legitimate program instructions. The vulnerability specifically targets the Python code execution environment where the application processes user input through the actionoutput_str_to_mapping function, allowing arbitrary code to be executed in the context of the service account that runs the MetaGPT application.
The operational impact of this vulnerability extends beyond simple code execution to encompass complete system compromise. When successfully exploited, attackers can execute arbitrary commands with the privileges of the service account running MetaGPT, potentially leading to data exfiltration, system infiltration, or lateral movement within the network. The vulnerability's remote nature means attackers can exploit it from anywhere on the internet, while the lack of authentication requirements removes any barriers to initial access. This creates a high-severity threat landscape where organizations running affected versions of Foundation Agents MetaGPT face immediate risk of unauthorized access and potential system takeover.
Security mitigations for this vulnerability should focus on implementing proper input validation and sanitization within the actionoutput_str_to_mapping function. Organizations should immediately patch the affected software to the latest version that addresses this code injection flaw. Additionally, network segmentation and firewall rules should be implemented to restrict access to MetaGPT services only to authorized users and systems. The implementation of principle of least privilege should ensure that service accounts run with minimal necessary permissions. Regular security assessments and code reviews should be conducted to identify similar vulnerabilities in other code paths. According to ATT&CK framework, this vulnerability maps to T1059.001 (Command and Scripting Interpreter: Python) and T1068 (Exploitation for Privilege Escalation), highlighting the need for both prevention and detection measures. Organizations should also implement monitoring solutions to detect anomalous code execution patterns that could indicate exploitation attempts.