CVE-2026-6111
Server-Side Request Forgery in FoundationAgents MetaGPT decode_image
Publication date: 2026-04-12
Last updated on: 2026-04-30
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| deepwisdom | metagpt | 0.8.1 |
| deepwisdom | metagpt | 0.8.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-6111 is a Server-Side Request Forgery (SSRF) vulnerability in the decode_image() function of the MetaGPT project. The function attempts to fetch images from URLs starting with "http" without validating the URL or hostname. This lack of validation allows attackers to supply arbitrary HTTP URLs that the server will request, potentially accessing internal network resources.
Although the function filters the response content through an image processing library (Image.open()), which prevents direct reading of arbitrary HTTP responses, attackers can still exploit the vulnerability to perform internal network reconnaissance, port scanning, and data exfiltration via DNS queries. The vulnerability is semi-blind, meaning attackers infer information through error messages or timing differences rather than direct response content.
The root cause is the absence of URL validation before making HTTP requests, allowing requests to localhost, private IP ranges, and cloud metadata endpoints that can expose sensitive information such as cloud credentials.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to perform unauthorized internal network access through SSRF attacks. They can scan internal services, detect availability of internal resources, and exfiltrate sensitive data such as cloud metadata credentials.
- Access internal network resources including localhost and private IP ranges.
- Retrieve cloud metadata endpoints (e.g., AWS, Azure, GCP credentials), potentially leading to credential theft.
- Conduct internal network reconnaissance and port scanning.
- Exfiltrate data via DNS queries embedded in URLs.
- Trigger actions on internal services such as cache flushes or webhooks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusual HTTP requests originating from the MetaGPT application, especially those targeting internal IP ranges such as 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or cloud metadata IPs like 169.254.169.254.
Since the vulnerability involves server-side request forgery (SSRF) via the decode_image() function, detection can include setting up a local HTTP server to log incoming requests and testing if the application makes requests to it when given crafted image URLs.
Suggested commands for detection include:
- Use network monitoring tools (e.g., tcpdump, Wireshark) to capture outbound HTTP requests from the MetaGPT host and filter for requests to internal IP ranges.
- Set up a local HTTP server (e.g., using Python's `python3 -m http.server 8000`) and provide the MetaGPT decode_image() function with URLs pointing to this server to see if requests are made.
- Check application logs for exceptions or error messages related to image decoding that might indicate SSRF attempts.
- Example command to monitor HTTP requests on port 80 or 443: `sudo tcpdump -i any tcp port 80 or tcp port 443 and src host <MetaGPT_host_IP>`
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the fix that introduces strict URL validation before making HTTP requests in the decode_image() function.
Specifically, implement a validation function (like `is_safe_url()`) that:
- Ensures the URL scheme is either HTTP or HTTPS.
- Resolves the hostname to an IP address to prevent DNS rebinding attacks.
- Blocks requests to private IP ranges including localhost (127.0.0.0/8, ::1/128), private networks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local and cloud metadata IPs (169.254.0.0/16).
- Adds a timeout to HTTP requests to prevent hanging.
If updating the code is not immediately possible, consider restricting network access from the MetaGPT host to internal IP ranges and cloud metadata endpoints at the firewall or network level to reduce risk.
Monitor for any suspicious activity and apply patches or updates from the MetaGPT project as soon as they are released.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability CVE-2026-6111 is a Server-Side Request Forgery (SSRF) flaw that allows attackers to access internal network resources, including cloud metadata endpoints that may contain sensitive credentials. This can lead to unauthorized internal network access and potential data exfiltration.
Such unauthorized access and potential data breaches could impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and disclosure.
However, the provided information does not explicitly discuss compliance implications or specific regulatory impacts.