OS Command Injection in FoundationAgents MetaGPT Software
CVE-2026-5974

6.9MEDIUM

Key Information:

Vendor

Foundationagents

Status
Metagpt
Vendor
CVE Published:
9 April 2026

What is CVE-2026-5974?

A significant vulnerability exists in FoundationAgents MetaGPT, particularly in the Bash.run function found in the library metagpt/tools/libs/terminal.py. The flaw allows for os command injection, which can be exploited by attackers remotely. Despite being alerted through a pull request, the developers have yet to provide a response or remediation for this issue. This vulnerability can pose serious risks to systems utilizing MetaGPT, and users are urged to take necessary precautions.

Affected Version(s)

MetaGPT 0.8.0

MetaGPT 0.8.1

References

https://vuldb.com/vuln/356528
vdb-entrytechnical-description
https://vuldb.com/vuln/356528/cti
signaturepermissions-required
https://vuldb.com/submit/791758
third-party-advisory

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Eric-d (VulDB User)
VulDB CNA Team
.