Platform
python
Component
metagpt
Fixed in
0.8.2
CVE-2026-0761 describes a critical Remote Code Execution (RCE) vulnerability discovered in MetaGPT, specifically impacting versions 0.8.1 through 0.8.1. This flaw allows unauthenticated attackers to execute arbitrary code on vulnerable systems. A fix is available in version 0.8.2, and users are strongly advised to upgrade immediately.
The impact of CVE-2026-0761 is severe. An attacker can leverage the lack of input validation in the actionoutputstrto_mapping function to inject and execute malicious Python code. This code will run within the context of the MetaGPT service account, potentially granting the attacker full control over the affected system. This could lead to data breaches, system compromise, and further lateral movement within the network. The absence of authentication requirements significantly lowers the barrier to exploitation, making this a high-priority vulnerability.
CVE-2026-0761 was publicly disclosed on January 23, 2026. The vulnerability was initially reported as ZDI-CAN-28. The lack of authentication and the ease of code injection suggest a high probability of exploitation. Public proof-of-concept (PoC) code is likely to emerge, further increasing the risk. Monitor security advisories and threat intelligence feeds for any signs of active exploitation campaigns.
Exploit Status
EPSS
2.59% (85% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-0761 is to upgrade MetaGPT to version 0.8.2 or later, which includes the necessary fix. If immediate upgrading is not possible, consider implementing temporary workarounds. While a direct WAF rule is difficult to implement due to the code injection nature, restricting network access to the MetaGPT service and carefully reviewing any external data sources used by the application can reduce the attack surface. Monitor system logs for unusual Python process activity. After upgrading, confirm the fix by attempting to trigger the vulnerable function with a malicious payload; it should now be properly sanitized and fail to execute.
Actualice la biblioteca MetaGPT a una versión posterior a la 0.8.1 que corrija la vulnerabilidad de inyección de código. Consulte las notas de la versión o el registro de cambios del proyecto para obtener más detalles sobre la corrección. Si no hay una versión corregida disponible, considere deshabilitar o eliminar la función actionoutput_str_to_mapping hasta que se publique una actualización.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-0761 is a critical RCE vulnerability affecting MetaGPT versions 0.8.1–0.8.1. It allows attackers to execute arbitrary code due to insufficient input validation.
If you are running MetaGPT version 0.8.1, you are vulnerable to this RCE vulnerability. Upgrade to version 0.8.2 or later to mitigate the risk.
The recommended fix is to upgrade MetaGPT to version 0.8.2 or later. If upgrading is not immediately possible, consider temporary workarounds like restricting network access.
While no active exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest a high probability of future attacks. Monitor security advisories.
Refer to the MetaGPT project's official website and security advisories for the latest information and updates regarding CVE-2026-0761.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.