CVE-2026-0760
Published: 23 January 2026
Summary
CVE-2026-0760 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Deepwisdom Metagpt. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 41.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-0760 is a remote code execution vulnerability in Foundation Agents MetaGPT stemming from unsafe deserialization in the deserialize_message function. The flaw arises from insufficient validation of user-supplied data, allowing deserialization of untrusted input and leading to arbitrary code execution under the privileges of the service account. It carries a CVSS 3.0 score of 9.8 and is tracked under CWE-502.
Unauthenticated remote attackers can exploit the issue over the network by supplying crafted serialized data to the affected function, achieving full code execution on vulnerable installations without requiring user interaction or credentials.
The sole referenced advisory is ZDI-26-026 from the Zero Day Initiative, which originally assigned the identifier ZDI-CAN-28121.
EPSS scores for the CVE rose from a low baseline to a peak of 0.0416 before settling at the current value of 0.0246, indicating emerging exploitation interest after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4478
Vulnerability details
Foundation Agents MetaGPT deserialize_message Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foundation Agents MetaGPT. Authentication is not required to exploit this vulnerability. The specific flaw exists…
more
within the deserialize_message function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28121.
- CWE(s)
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: metagpt
Related Threats
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of untrusted serialized input to the deserialize_message function, blocking the unsafe deserialization path that enables RCE.
Enforces access control checks before any message processing, preventing unauthenticated remote attackers from reaching the vulnerable deserialization function.
Provides malicious-code detection and blocking mechanisms that can intercept code execution payloads resulting from successful deserialization.