CVE-2026-4516
Remote Code Injection in Foundation Agents MetaGPT DataInterpreter
Publication date: 2026-03-21
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| deepwisdom | metagpt | to 0.8.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-707 | The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-4516 is a critical Remote Code Execution (RCE) vulnerability in the MetaGPT framework, specifically in the DataInterpreter component up to version 0.8.1. The vulnerability arises because user input is directly embedded into prompts sent to a Large Language Model (LLM) without proper validation or sanitization. This allows attackers to perform prompt injection attacks that manipulate the LLM into generating and executing arbitrary Python code within a Jupyter Notebook environment.
The vulnerable code is located in the file metagpt/actions/di/write_analysis_code.py, where the user_requirement parameter is inserted into the prompt string without escaping. The generated code is then executed asynchronously without sandboxing or security checks, enabling attackers to run arbitrary commands on the host system.
This flaw allows attackers to override system instructions, inject malicious code, and execute it automatically, leading to full system compromise.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including:
- Arbitrary Python code execution on the host system.
- Execution of system commands, potentially leading to full system compromise.
- Disclosure of sensitive files and environment variables, such as API keys.
- Establishment of persistent backdoors and reverse shells for ongoing remote access.
- Lateral movement within networks, potentially compromising other systems.
- Compromise of web applications, multi-tenant SaaS platforms, and CI/CD pipelines that use the vulnerable DataInterpreter component.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying exploitation attempts that leverage prompt injection to execute arbitrary Python code within the MetaGPT DataInterpreter component.
Since the vulnerability exploits unsanitized user input embedded in prompts leading to code execution in Jupyter Notebooks, monitoring for unusual or unexpected Python code execution or Jupyter Notebook activity is key.
- Check logs for execution of Python code cells in Jupyter Notebooks that were triggered without user interaction.
- Monitor network traffic for suspicious requests containing unusual or crafted user inputs targeting the DataInterpreter service.
- Use commands to search for suspicious processes or launched applications (e.g., Calculator app) that may indicate code execution:
- On Linux: `ps aux | grep python` or `lsof -i` to detect unusual Python processes or network connections.
- On Windows: Use `tasklist` or `Get-Process` in PowerShell to identify unexpected processes.
- Inspect the source code or runtime environment for the presence of the vulnerable file `metagpt/actions/di/write_analysis_code.py` and check if it is running version β€ 0.8.1.
No specific detection commands are provided in the resources, but focusing on monitoring Jupyter Notebook executions, user input sanitization failures, and unexpected process launches is recommended.
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps focus on preventing exploitation by sanitizing inputs, restricting code execution, and reviewing generated code before execution.'}, {'type': 'list_item', 'content': 'Sanitize the `user_requirement` input by removing common prompt injection patterns such as "ignore previous instructions" using regex and limit the input length.'}, {'type': 'list_item', 'content': 'Require human approval before executing any generated Python code; display the generated code for manual review.'}, {'type': 'list_item', 'content': 'Remove or restrict the Terminal tool functionality to prevent arbitrary system command execution; implement command whitelisting if the Terminal tool is necessary.'}, {'type': 'paragraph', 'content': 'These short-term mitigations reduce the risk of prompt injection and arbitrary code execution until long-term solutions like sandboxed execution and LLM output validation can be implemented.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know