Platform
python
Component
foundationagents-metagpt
Fixed in
0.8.1
0.8.2
CVE-2026-5973 describes a Command Injection vulnerability discovered in MetaGPT, affecting versions 0.8.0 through 0.8.1. This flaw allows attackers to execute arbitrary operating system commands remotely, potentially leading to complete system compromise. The vulnerability resides within the getmimetype function of the metagpt/utils/common.py file. A public exploit is available, highlighting the urgency of addressing this issue.
The impact of CVE-2026-5973 is severe due to the remote command execution capability. An attacker could leverage this vulnerability to gain unauthorized access to the system running MetaGPT, execute arbitrary code, steal sensitive data, or establish a persistent foothold. Successful exploitation could lead to data breaches, system disruption, and potential lateral movement within the network. The availability of a public exploit significantly increases the likelihood of exploitation, making it a high-priority concern for organizations using MetaGPT.
CVE-2026-5973 is a critical vulnerability with a public exploit already available. This significantly increases the risk of exploitation. The vulnerability was reported via a pull request, but the project has not yet responded. The exploit's public nature suggests a high probability of active exploitation attempts. The vulnerability has been published on 2026-04-09.
Exploit Status
EPSS
1.76% (83% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-5973 is to upgrade MetaGPT to a patched version as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds to reduce the attack surface. This might involve restricting network access to the MetaGPT instance, implementing strict input validation on the getmimetype function, or using a Web Application Firewall (WAF) to filter potentially malicious requests. Monitor system logs for suspicious activity related to command execution. After upgrading, confirm the vulnerability is resolved by attempting a controlled command injection attempt (if feasible and safe) to verify the fix.
Update to a patched version of MetaGPT that addresses the operating system command injection vulnerability in the get_mime_type function. The FoundationAgents project has been notified, but has not yet provided an update. See the provided references for more information and potential workarounds.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5973 is a Command Injection vulnerability affecting MetaGPT versions 0.8.0–0.8.1. It allows attackers to execute arbitrary commands on the system via the getmimetype function.
If you are using MetaGPT versions 0.8.0 or 0.8.1, you are potentially affected by this vulnerability. Upgrade as soon as a patch is available.
The recommended fix is to upgrade MetaGPT to a patched version. Until a patch is released, consider temporary workarounds like restricting network access and input validation.
Due to the public availability of an exploit, there is a high probability that CVE-2026-5973 is being actively exploited or will be soon.
Refer to the MetaGPT project's official channels (e.g., GitHub repository, website) for updates and advisories regarding CVE-2026-5973.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.