CVE-2026-6111
Received Received - Intake
Server-Side Request Forgery in FoundationAgents MetaGPT decode_image

Publication date: 2026-04-12

Last updated on: 2026-04-30

Assigner: VulDB

Description
A security flaw has been discovered in FoundationAgents MetaGPT up to 0.8.1. This impacts the function decode_image of the file metagpt/utils/common.py. The manipulation of the argument img_url_or_b64 results in server-side request forgery. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-12
Last Modified
2026-04-30
Generated
2026-06-16
AI Q&A
2026-04-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-6111
EUVD
EUVD-2026-21698
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
deepwisdom metagpt 0.8.1
deepwisdom metagpt 0.8.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-6111 is a Server-Side Request Forgery (SSRF) vulnerability in the decode_image() function of the MetaGPT project. The function attempts to fetch images from URLs starting with "http" without validating the URL or hostname. This lack of validation allows attackers to supply arbitrary HTTP URLs that the server will request, potentially accessing internal network resources.

Although the function filters the response content through an image processing library (Image.open()), which prevents direct reading of arbitrary HTTP responses, attackers can still exploit the vulnerability to perform internal network reconnaissance, port scanning, and data exfiltration via DNS queries. The vulnerability is semi-blind, meaning attackers infer information through error messages or timing differences rather than direct response content.

The root cause is the absence of URL validation before making HTTP requests, allowing requests to localhost, private IP ranges, and cloud metadata endpoints that can expose sensitive information such as cloud credentials.

Impact Analysis

This vulnerability can impact you by allowing attackers to perform unauthorized internal network access through SSRF attacks. They can scan internal services, detect availability of internal resources, and exfiltrate sensitive data such as cloud metadata credentials.

  • Access internal network resources including localhost and private IP ranges.
  • Retrieve cloud metadata endpoints (e.g., AWS, Azure, GCP credentials), potentially leading to credential theft.
  • Conduct internal network reconnaissance and port scanning.
  • Exfiltrate data via DNS queries embedded in URLs.
  • Trigger actions on internal services such as cache flushes or webhooks.
Detection Guidance

This vulnerability can be detected by monitoring for unusual HTTP requests originating from the MetaGPT application, especially those targeting internal IP ranges such as 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or cloud metadata IPs like 169.254.169.254.

Since the vulnerability involves server-side request forgery (SSRF) via the decode_image() function, detection can include setting up a local HTTP server to log incoming requests and testing if the application makes requests to it when given crafted image URLs.

Suggested commands for detection include:

  • Use network monitoring tools (e.g., tcpdump, Wireshark) to capture outbound HTTP requests from the MetaGPT host and filter for requests to internal IP ranges.
  • Set up a local HTTP server (e.g., using Python's `python3 -m http.server 8000`) and provide the MetaGPT decode_image() function with URLs pointing to this server to see if requests are made.
  • Check application logs for exceptions or error messages related to image decoding that might indicate SSRF attempts.
  • Example command to monitor HTTP requests on port 80 or 443: `sudo tcpdump -i any tcp port 80 or tcp port 443 and src host <MetaGPT_host_IP>`
Mitigation Strategies

Immediate mitigation steps include applying the fix that introduces strict URL validation before making HTTP requests in the decode_image() function.

Specifically, implement a validation function (like `is_safe_url()`) that:

  • Ensures the URL scheme is either HTTP or HTTPS.
  • Resolves the hostname to an IP address to prevent DNS rebinding attacks.
  • Blocks requests to private IP ranges including localhost (127.0.0.0/8, ::1/128), private networks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local and cloud metadata IPs (169.254.0.0/16).
  • Adds a timeout to HTTP requests to prevent hanging.

If updating the code is not immediately possible, consider restricting network access from the MetaGPT host to internal IP ranges and cloud metadata endpoints at the firewall or network level to reduce risk.

Monitor for any suspicious activity and apply patches or updates from the MetaGPT project as soon as they are released.

Compliance Impact

The vulnerability CVE-2026-6111 is a Server-Side Request Forgery (SSRF) flaw that allows attackers to access internal network resources, including cloud metadata endpoints that may contain sensitive credentials. This can lead to unauthorized internal network access and potential data exfiltration.

Such unauthorized access and potential data breaches could impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and disclosure.

However, the provided information does not explicitly discuss compliance implications or specific regulatory impacts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6111. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart