| Title | deepwisdom MetaGPT v0.8.1 Remote command execution |
|---|
| Description | The vulnerable component is located in `metagpt/ext/aflow/scripts/operator.py`. The `Programmer` class is used to pass user-controlled natural language questions to the `code_generate` method for LLM to generate code. The `sanitize` method checks and filters the AST structure of the code, and the `run_code` method implements security restrictions on the import of libraries such as command execution and sets global variables to null. Finally, execution is achieved through `exec(code, global_namespace)` in `run_code`. However, attackers can generate bypassable malicious Python code through carefully crafted prompt control, thereby remotely running arbitrary commands on the host machine. |
|---|
| Source | ⚠️ https://github.com/Ka7arotto/cve/blob/main/metagpt-rce1.md |
|---|
| User | Goku (UID 80486) |
|---|
| Submission | 03/06/2026 12:57 (1 month ago) |
|---|
| Moderation | 03/20/2026 15:40 (14 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 352080 [Foundation Agents MetaGPT up to 0.8.1 operator.py code_generate code injection] |
|---|
| Points | 20 |
|---|