CVE-2026-6603
Received Received - Intake
Remote Code Injection in Modelscope AgentScope Python Execution Functions

Publication date: 2026-04-20

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was determined in modelscope agentscope up to 1.0.18. Affected by this vulnerability is the function execute_python_code/execute_shell_command of the file src/AgentScope/tool/_coding/_python.py. This manipulation causes code injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-20
Last Modified
2026-04-29
Generated
2026-06-24
AI Q&A
2026-04-20
EPSS Evaluated
2026-06-23
NVD
CVE-2026-6603
EUVD
EUVD-2026-23770
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
modelscope agentscope to 1.0.18 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in modelscope agentscope up to version 1.0.18, specifically in the functions execute_python_code and execute_shell_command within the file src/AgentScope/tool/_coding/_python.py.

It allows an attacker to perform code injection, meaning malicious code can be executed remotely on the affected system.

The vulnerability has been publicly disclosed and the vendor did not respond to early contact attempts.

Impact Analysis

This vulnerability can allow a remote attacker to inject and execute arbitrary code on the affected system.

Such an attack could lead to unauthorized control over the system, data compromise, disruption of services, or further exploitation.

Compliance Impact

The vulnerability allows unauthenticated remote attackers to execute arbitrary code on the server, leading to full compromise of the server environment.

This includes exposure and theft of sensitive environment variables such as API keys and tokens, which could contain personal or confidential data.

Such unauthorized access and potential data exfiltration can lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding sensitive information and ensuring system integrity.

Therefore, this vulnerability poses a significant risk to compliance with common standards and regulations by enabling data breaches and loss of control over protected data.

Detection Guidance

Detection of CVE-2026-6603 involves monitoring for unauthorized execution of Python code or shell commands triggered remotely via the AgentScope LLM agents. Since the vulnerability allows remote code execution through HTTP endpoints, inspecting HTTP POST requests to endpoints like /chat for suspicious payloads is critical.

You can look for evidence of exploitation by checking for unexpected files created by attacker-supplied code, such as /tmp/agentscope_rce_pwned or /tmp/agentscope_env_leak.

Suggested commands to detect signs of exploitation or suspicious activity include:

  • Monitor HTTP POST requests to the /chat endpoint for suspicious payloads using tools like tcpdump or Wireshark.
  • Check for unexpected files created by attacker code: `ls -l /tmp/agentscope_rce_pwned /tmp/agentscope_env_leak`
  • Search process logs or running processes for unexpected Python or shell commands spawned by the AgentScope process.
  • Use system auditing tools (e.g., auditd) to track execution of subprocesses launched by the AgentScope service.
Mitigation Strategies

Immediate mitigation steps for CVE-2026-6603 include:

  • Disable or restrict access to the vulnerable AgentScope LLM agents, especially any HTTP endpoints like /chat that allow remote interaction.
  • Implement network-level controls such as firewall rules to block external access to the vulnerable services.
  • Avoid deploying or running AgentScope versions up to 1.0.18 until a patch or secure update is available.
  • Monitor your systems for signs of compromise, including unexpected file creation or unusual subprocess executions.
  • Consider isolating the AgentScope service in a restricted environment with minimal privileges and no access to sensitive environment variables.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6603. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart