CVE-2026-10566
Deserialization Flaw in FoundationAgents MetaGPT
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| foundationagents | metagpt | to 0.8.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in FoundationAgents MetaGPT up to version 0.8.2 is an unsafe deserialization issue in the function Message.check_instruct_content located in the file metagpt/schema.py.
Specifically, when serialized data containing attacker-controlled strings is passed to the function actionoutput_str_to_mapping(), it uses Python's eval() function to evaluate these strings. This unsafe use of eval() allows an attacker to execute arbitrary code during deserialization if they can manipulate the serialized data before it is processed.
The vulnerability is limited to local execution, meaning the attacker must have local access to exploit it. The vulnerable code also dynamically imports serialized module or class names, further increasing the attack surface.
A proof-of-concept shows that an attacker could inject code to execute system commands during deserialization, such as printing a message.
The suggested fix is to remove the eval() call and replace it with a strict parser or whitelist to safely handle supported field type encodings.
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary code execution on the local machine where MetaGPT is running.
If an attacker can manipulate the serialized data processed by MetaGPT, they could execute malicious commands or code, potentially compromising the integrity and security of the system.
Because the exploit requires local access, the risk is limited to users or processes with local privileges, but it still poses a significant threat to trusted environments.
Successful exploitation could lead to data corruption, unauthorized actions, or disruption of the software development processes automated by MetaGPT.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unsafe deserialization in the MetaGPT framework's Message.check_instruct_content() method, which is triggered by manipulation of serialized instruct_content data containing a mapping field. Detection involves identifying if the vulnerable version of MetaGPT (up to 0.8.2) is in use and if untrusted serialized data is being processed locally.
Since the exploit requires local execution and manipulation of serialized data, detection can focus on monitoring usage of the metagpt/schema.py file, especially the check_instruct_content() function, and any suspicious invocation of eval() or dynamic imports in this context.
Suggested commands to detect potential exploitation attempts or presence of the vulnerable code include:
- Searching for the vulnerable code pattern in the installed MetaGPT package: `grep -n 'eval(' $(pip show metagpt -f | grep metagpt/schema.py)`
- Checking for usage of the vulnerable method in logs or runtime traces if available.
- Monitoring for suspicious local execution of MetaGPT commands or scripts that process serialized instruct_content data.
Because the vulnerability is local and involves deserialization, network detection is limited; focus should be on local file integrity, code review, and runtime behavior monitoring.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include preventing the execution of untrusted serialized data within MetaGPT, especially avoiding the use of the vulnerable eval() call in the actionoutput_str_to_mapping() function.
- Do not run MetaGPT versions up to 0.8.2 in environments where untrusted users can supply serialized instruct_content data.
- If possible, review and patch the vulnerable code by removing or replacing the eval() call with a safe parser or whitelist approach as suggested.
- Restrict local access to systems running MetaGPT to trusted users only, since the attack requires local execution.
- Monitor and audit usage of MetaGPT commands and scripts that handle serialized data.
Since the project has not yet responded with an official fix, these steps are critical to reduce risk until a patched version is released.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of the CVE-2026-10566 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.