プラットフォーム
python
コンポーネント
metagpt
修正版
0.8.2
CVE-2026-0761 describes a critical Remote Code Execution (RCE) vulnerability discovered in MetaGPT, specifically impacting versions 0.8.1 through 0.8.1. This flaw allows unauthenticated attackers to execute arbitrary code on vulnerable systems. A fix is available in version 0.8.2, and users are strongly advised to upgrade immediately.
The impact of CVE-2026-0761 is severe. An attacker can leverage the lack of input validation in the actionoutputstrto_mapping function to inject and execute malicious Python code. This code will run within the context of the MetaGPT service account, potentially granting the attacker full control over the affected system. This could lead to data breaches, system compromise, and further lateral movement within the network. The absence of authentication requirements significantly lowers the barrier to exploitation, making this a high-priority vulnerability.
CVE-2026-0761 was publicly disclosed on January 23, 2026. The vulnerability was initially reported as ZDI-CAN-28. The lack of authentication and the ease of code injection suggest a high probability of exploitation. Public proof-of-concept (PoC) code is likely to emerge, further increasing the risk. Monitor security advisories and threat intelligence feeds for any signs of active exploitation campaigns.
Organizations deploying MetaGPT in production environments, particularly those with limited network segmentation or inadequate access controls, are at significant risk. Systems running MetaGPT as a service account with elevated privileges are especially vulnerable, as the attacker would inherit those privileges upon successful exploitation.
• python / server:
import psutil
for proc in psutil.process_iter(['pid', 'name', 'cmdline']):
if 'metagpt' in proc.info['name'].lower():
print(f'MetaGPT process found: PID={proc.info[0]}, Command={proc.info[2]}')• linux / server:
journalctl -u metagpt | grep -i "error" -i "exception"• generic web:
curl -I http://<target>/metagpt/actionoutput_str_to_mapping # Check for unexpected responses or error messagesdisclosure
patch
エクスプロイト状況
EPSS
2.59% (85% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-0761 is to upgrade MetaGPT to version 0.8.2 or later, which includes the necessary fix. If immediate upgrading is not possible, consider implementing temporary workarounds. While a direct WAF rule is difficult to implement due to the code injection nature, restricting network access to the MetaGPT service and carefully reviewing any external data sources used by the application can reduce the attack surface. Monitor system logs for unusual Python process activity. After upgrading, confirm the fix by attempting to trigger the vulnerable function with a malicious payload; it should now be properly sanitized and fail to execute.
MetaGPT ライブラリを 0.8.1 以降のバージョンにアップデートして、コードインジェクションの脆弱性を修正してください。修正の詳細については、プロジェクトのリリースノートまたは変更ログを参照してください。修正されたバージョンが利用できない場合は、アップデートが公開されるまで actionoutput_str_to_mapping 関数を無効化または削除することを検討してください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-0761 is a critical RCE vulnerability affecting MetaGPT versions 0.8.1–0.8.1. It allows attackers to execute arbitrary code due to insufficient input validation.
If you are running MetaGPT version 0.8.1, you are vulnerable to this RCE vulnerability. Upgrade to version 0.8.2 or later to mitigate the risk.
The recommended fix is to upgrade MetaGPT to version 0.8.2 or later. If upgrading is not immediately possible, consider temporary workarounds like restricting network access.
While no active exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest a high probability of future attacks. Monitor security advisories.
Refer to the MetaGPT project's official website and security advisories for the latest information and updates regarding CVE-2026-0761.
requirements.txt ファイルをアップロードすると、影響の有無を即座にお知らせします。