CVE-2026-4516
Received Received - Intake
Remote Code Injection in Foundation Agents MetaGPT DataInterpreter

Publication date: 2026-03-21

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was found in Foundation Agents MetaGPT up to 0.8.1. This vulnerability affects unknown code of the file metagpt/actions/di/write_analysis_code.py of the component DataInterpreter. The manipulation results in injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-21
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-21
EPSS Evaluated
2026-06-14
NVD
CVE-2026-4516
EUVD
EUVD-2026-14252
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
deepwisdom metagpt to 0.8.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-707 The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

I don't know

Executive Summary

CVE-2026-4516 is a critical Remote Code Execution (RCE) vulnerability in the MetaGPT framework, specifically in the DataInterpreter component up to version 0.8.1. The vulnerability arises because user input is directly embedded into prompts sent to a Large Language Model (LLM) without proper validation or sanitization. This allows attackers to perform prompt injection attacks that manipulate the LLM into generating and executing arbitrary Python code within a Jupyter Notebook environment.

The vulnerable code is located in the file metagpt/actions/di/write_analysis_code.py, where the user_requirement parameter is inserted into the prompt string without escaping. The generated code is then executed asynchronously without sandboxing or security checks, enabling attackers to run arbitrary commands on the host system.

This flaw allows attackers to override system instructions, inject malicious code, and execute it automatically, leading to full system compromise.

Impact Analysis

This vulnerability can have severe impacts including:

  • Arbitrary Python code execution on the host system.
  • Execution of system commands, potentially leading to full system compromise.
  • Disclosure of sensitive files and environment variables, such as API keys.
  • Establishment of persistent backdoors and reverse shells for ongoing remote access.
  • Lateral movement within networks, potentially compromising other systems.
  • Compromise of web applications, multi-tenant SaaS platforms, and CI/CD pipelines that use the vulnerable DataInterpreter component.
Detection Guidance

Detection of this vulnerability involves identifying exploitation attempts that leverage prompt injection to execute arbitrary Python code within the MetaGPT DataInterpreter component.

Since the vulnerability exploits unsanitized user input embedded in prompts leading to code execution in Jupyter Notebooks, monitoring for unusual or unexpected Python code execution or Jupyter Notebook activity is key.

  • Check logs for execution of Python code cells in Jupyter Notebooks that were triggered without user interaction.
  • Monitor network traffic for suspicious requests containing unusual or crafted user inputs targeting the DataInterpreter service.
  • Use commands to search for suspicious processes or launched applications (e.g., Calculator app) that may indicate code execution:
  • On Linux: `ps aux | grep python` or `lsof -i` to detect unusual Python processes or network connections.
  • On Windows: Use `tasklist` or `Get-Process` in PowerShell to identify unexpected processes.
  • Inspect the source code or runtime environment for the presence of the vulnerable file `metagpt/actions/di/write_analysis_code.py` and check if it is running version ≀ 0.8.1.

No specific detection commands are provided in the resources, but focusing on monitoring Jupyter Notebook executions, user input sanitization failures, and unexpected process launches is recommended.

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps focus on preventing exploitation by sanitizing inputs, restricting code execution, and reviewing generated code before execution.'}, {'type': 'list_item', 'content': 'Sanitize the `user_requirement` input by removing common prompt injection patterns such as "ignore previous instructions" using regex and limit the input length.'}, {'type': 'list_item', 'content': 'Require human approval before executing any generated Python code; display the generated code for manual review.'}, {'type': 'list_item', 'content': 'Remove or restrict the Terminal tool functionality to prevent arbitrary system command execution; implement command whitelisting if the Terminal tool is necessary.'}, {'type': 'paragraph', 'content': 'These short-term mitigations reduce the risk of prompt injection and arbitrary code execution until long-term solutions like sandboxed execution and LLM output validation can be implemented.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4516. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart