Cyber Resilience

CVE-2026-0760

CriticalRCE

Published: 23 January 2026

Published
23 January 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v3 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0099 58.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-0760 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Deepwisdom Metagpt. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 41.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-0760 is a remote code execution vulnerability in Foundation Agents MetaGPT stemming from unsafe deserialization in the deserialize_message function. The flaw arises from insufficient validation of user-supplied data, allowing deserialization of untrusted input and leading to arbitrary code execution under the privileges of the service account. It carries a CVSS 3.0 score of 9.8 and is tracked under CWE-502.

Unauthenticated remote attackers can exploit the issue over the network by supplying crafted serialized data to the affected function, achieving full code execution on vulnerable installations without requiring user interaction or credentials.

The sole referenced advisory is ZDI-26-026 from the Zero Day Initiative, which originally assigned the identifier ZDI-CAN-28121.

EPSS scores for the CVE rose from a low baseline to a peak of 0.0416 before settling at the current value of 0.0246, indicating emerging exploitation interest after disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Foundation Agents MetaGPT deserialize_message Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foundation Agents MetaGPT. Authentication is not required to exploit this vulnerability. The specific flaw exists…

more

within the deserialize_message function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28121.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: metagpt

Related Threats

CVEs Like This One

CVE-2026-0761Same product: Deepwisdom Metagpt
CVE-2026-6110Same product: Deepwisdom Metagpt
CVE-2025-14931Shared CWE-502
CVE-2026-28277Shared CWE-502
CVE-2025-62368Shared CWE-502
CVE-2025-68903Shared CWE-502
CVE-2024-57764Shared CWE-502
CVE-2025-67911Shared CWE-502
CVE-2025-54014Shared CWE-502
CVE-2025-50460Shared CWE-502

Affected Assets

deepwisdom
metagpt
0.8.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted serialized input to the deserialize_message function, blocking the unsafe deserialization path that enables RCE.

prevent

Enforces access control checks before any message processing, preventing unauthenticated remote attackers from reaching the vulnerable deserialization function.

preventdetect

Provides malicious-code detection and blocking mechanisms that can intercept code execution payloads resulting from successful deserialization.

References