Description
A vulnerability has been found in FoundationAgents MetaGPT up to 0.8.1. This issue affects the function Terminal.run_command in the library metagpt/tools/libs/terminal.py. The manipulation leads to os command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The identifier of the patch is d04ffc8dc67903e8b327f78ec121df5e190ffc7b. Applying a patch is the recommended action to fix this issue.
Published: 2026-04-09
Score: 6.9 Medium
EPSS: 1.8% Low
KEV: No
Impact: Remote Code Execution via OS Command Injection
Action: Immediate Patch
AI Analysis

Impact

The flaw resides in the Terminal.run_command function of MetaGPT’s terminal library, allowing attackers to inject arbitrary OS commands. This results in execution of malicious code on the host machine, giving potential unrestricted control. The vulnerability is classified as command injection (CWE‑77 & CWE‑78) and has a CVSS base score of 6.9, indicating moderate severity.

Affected Systems

FoundationAgents’ MetaGPT versions up to 0.8.1 are affected, specifically the metagpt/tools/libs/terminal.py component. Any deployment of MetaGPT 0.8.1 or earlier that exposes the terminal functionality is vulnerable. The product is maintained by FoundationAgents and available on GitHub.

Risk and Exploitability

The CVSS score of 6.9 reflects moderate risk, yet the flaw allows remote exploitation, meaning an attacker can trigger the injection through a network or API interface. EPSS data is not provided, and the issue is not listed in CISA’s KEV catalog, but a public exploit has already been posted on GitHub. The likely attack vector is remote: an attacker supplies malicious input to Terminal.run_command, which is executed without sanitization. Exploitation requires that the terminal API is exposed and accessible to the attacker, so proper isolation or access control can mitigate the risk.

Generated by OpenCVE AI on April 9, 2026 at 20:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch identified by commit d04ffc8dc67903e8b327f78ec121df5e190ffc7b to upgrade MetaGPT beyond version 0.8.1.
  • Verify that the installed MetaGPT version is 0.8.2 or later after patching.
  • If patching cannot be performed immediately, restrict or disable the terminal command interface to prevent remote injection.
  • Monitor system logs for anomalous command executions and treat any detected activity as a potential exploit attempt.

Generated by OpenCVE AI on April 9, 2026 at 20:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wp29-qmvj-frvp FoundationAgents MetaGPT vulnerable to os command injection via the Terminal.run_command
History

Wed, 29 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Deepwisdom
Deepwisdom metagpt
CPEs cpe:2.3:a:deepwisdom:metagpt:*:*:*:*:*:*:*:*
Vendors & Products Deepwisdom
Deepwisdom metagpt

Fri, 10 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Foundation Agents
Foundation Agents metagpt
Vendors & Products Foundation Agents
Foundation Agents metagpt

Thu, 09 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in FoundationAgents MetaGPT up to 0.8.1. This issue affects the function Terminal.run_command in the library metagpt/tools/libs/terminal.py. The manipulation leads to os command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The identifier of the patch is d04ffc8dc67903e8b327f78ec121df5e190ffc7b. Applying a patch is the recommended action to fix this issue.
Title FoundationAgents MetaGPT terminal.py Terminal.run_command os command injection
Weaknesses CWE-77
CWE-78
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Deepwisdom Metagpt
Foundation Agents Metagpt
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-10T14:13:32.555Z

Reserved: 2026-04-09T12:04:27.184Z

Link: CVE-2026-5972

cve-icon Vulnrichment

Updated: 2026-04-10T14:13:29.058Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T20:16:28.943

Modified: 2026-04-29T19:26:45.883

Link: CVE-2026-5972

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:29:48Z

Weaknesses