CVE-2026-10566
Deferred Deferred - Pending Action
Deserialization Flaw in FoundationAgents MetaGPT

Publication date: 2026-06-02

Last updated on: 2026-06-02

Assigner: VulDB

Description
A weakness has been identified in FoundationAgents MetaGPT up to 0.8.2. This affects the function Message.check_instruct_content of the file metagpt/schema.py. Executing a manipulation of the argument mapping can lead to deserialization. The attack is restricted to local execution. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-02
Generated
2026-06-22
AI Q&A
2026-06-02
EPSS Evaluated
2026-06-21
NVD
CVE-2026-10566
EUVD
EUVD-2026-33872
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
foundationagents metagpt to 0.8.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in FoundationAgents MetaGPT up to version 0.8.2 is an unsafe deserialization issue in the function Message.check_instruct_content located in the file metagpt/schema.py.

Specifically, when serialized data containing attacker-controlled strings is passed to the function actionoutput_str_to_mapping(), it uses Python's eval() function to evaluate these strings. This unsafe use of eval() allows an attacker to execute arbitrary code during deserialization if they can manipulate the serialized data before it is processed.

The vulnerability is limited to local execution, meaning the attacker must have local access to exploit it. The vulnerable code also dynamically imports serialized module or class names, further increasing the attack surface.

A proof-of-concept shows that an attacker could inject code to execute system commands during deserialization, such as printing a message.

The suggested fix is to remove the eval() call and replace it with a strict parser or whitelist to safely handle supported field type encodings.

Impact Analysis

This vulnerability can lead to arbitrary code execution on the local machine where MetaGPT is running.

If an attacker can manipulate the serialized data processed by MetaGPT, they could execute malicious commands or code, potentially compromising the integrity and security of the system.

Because the exploit requires local access, the risk is limited to users or processes with local privileges, but it still poses a significant threat to trusted environments.

Successful exploitation could lead to data corruption, unauthorized actions, or disruption of the software development processes automated by MetaGPT.

Detection Guidance

This vulnerability involves unsafe deserialization in the MetaGPT framework's Message.check_instruct_content() method, which is triggered by manipulation of serialized instruct_content data containing a mapping field. Detection involves identifying if the vulnerable version of MetaGPT (up to 0.8.2) is in use and if untrusted serialized data is being processed locally.

Since the exploit requires local execution and manipulation of serialized data, detection can focus on monitoring usage of the metagpt/schema.py file, especially the check_instruct_content() function, and any suspicious invocation of eval() or dynamic imports in this context.

Suggested commands to detect potential exploitation attempts or presence of the vulnerable code include:

  • Searching for the vulnerable code pattern in the installed MetaGPT package: `grep -n 'eval(' $(pip show metagpt -f | grep metagpt/schema.py)`
  • Checking for usage of the vulnerable method in logs or runtime traces if available.
  • Monitoring for suspicious local execution of MetaGPT commands or scripts that process serialized instruct_content data.

Because the vulnerability is local and involves deserialization, network detection is limited; focus should be on local file integrity, code review, and runtime behavior monitoring.

Mitigation Strategies

Immediate mitigation steps include preventing the execution of untrusted serialized data within MetaGPT, especially avoiding the use of the vulnerable eval() call in the actionoutput_str_to_mapping() function.

  • Do not run MetaGPT versions up to 0.8.2 in environments where untrusted users can supply serialized instruct_content data.
  • If possible, review and patch the vulnerable code by removing or replacing the eval() call with a safe parser or whitelist approach as suggested.
  • Restrict local access to systems running MetaGPT to trusted users only, since the attack requires local execution.
  • Monitor and audit usage of MetaGPT commands and scripts that handle serialized data.

Since the project has not yet responded with an official fix, these steps are critical to reduce risk until a patched version is released.

Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-10566 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10566. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart