Cyber Resilience

CVE-2026-0761

CriticalRCE

Published: 23 January 2026

Published
23 January 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v3 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0105 59.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-0761 is a critical-severity Code Injection (CWE-94) vulnerability in Deepwisdom Metagpt. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 40.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and CM-7 (Least Functionality).

Deeper analysis

CVE-2026-0761 is a remote code execution vulnerability in Foundation Agents MetaGPT, specifically within the actionoutput_str_to_mapping function. The flaw stems from insufficient validation of a user-supplied string that is subsequently used to execute Python code, enabling arbitrary code execution. It carries a CVSS 3.0 base score of 9.8 and is tracked under CWE-94; the issue was originally reported as ZDI-CAN-28124.

Unauthenticated remote attackers can exploit the vulnerability over the network to run arbitrary code in the context of the service account. No user interaction or credentials are required, allowing an attacker to achieve full control over affected installations.

The referenced Zero Day Initiative advisory ZDI-26-027 provides further details on the issue. The EPSS score reached a peak of 0.0392 after starting from a lower baseline, indicating emerging exploitation interest following disclosure. MetaGPT is an AI-driven multi-agent framework, placing this vulnerability in the domain of widely used LLM tooling.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Foundation Agents MetaGPT actionoutput_str_to_mapping Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foundation Agents MetaGPT. Authentication is not required to exploit this vulnerability. The specific flaw exists within the…

more

actionoutput_str_to_mapping function. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28124.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: metagpt

Related Threats

CVEs Like This One

CVE-2026-6110Same product: Deepwisdom Metagpt
CVE-2026-0760Same product: Deepwisdom Metagpt
CVE-2026-2287Shared CWE-94
CVE-2025-5120Shared CWE-94
CVE-2026-45374Shared CWE-94
CVE-2026-30741Shared CWE-94
CVE-2026-44717Shared CWE-94
CVE-2025-69902Shared CWE-94
CVE-2025-61260Shared CWE-94
CVE-2026-27597Shared CWE-94

Affected Assets

deepwisdom
metagpt
0.8.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of user-supplied strings before they are used to execute Python code, blocking the exact flaw in actionoutput_str_to_mapping.

prevent

Restricts execution of unnecessary or unsafe code interpreters and functions, limiting the attack surface that allows unauthenticated Python code execution.

preventdetect

Deploys malicious-code protections that can inspect or sandbox inputs attempting to trigger arbitrary code execution via the vulnerable function.

References