CVE-2026-5971
Published: 09 April 2026
Summary
CVE-2026-5971 is a high-severity Code Injection (CWE-94) vulnerability. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly addresses the improper neutralization of directives in XML inputs to ActionNode.xml_fill by requiring validation to prevent code injection.
SI-2 ensures timely identification, reporting, and correction of flaws like CVE-2026-5971 in MetaGPT, preventing exploitation through patching or mitigation.
RA-5 requires vulnerability scanning to detect the presence of CVE-2026-5971 in MetaGPT deployments, enabling prioritized remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated code injection leading to arbitrary code execution in a public-facing Python-based application directly maps to T1190 for exploitation of public-facing apps and T1059.006 for Python command/script execution.
NVD Description
A flaw has been found in FoundationAgents MetaGPT up to 0.8.1. This vulnerability affects the function ActionNode.xml_fill of the file metagpt/actions/action_node.py of the component XML Handler. Executing a manipulation can lead to improper neutralization of directives in dynamically evaluated code.…
more
The attack may be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through a pull request but has not reacted yet.
Deeper analysisAI
CVE-2026-5971 is a code injection vulnerability stemming from improper neutralization of directives in dynamically evaluated code (CWE-94, CWE-95) in the ActionNode.xml_fill function within the file metagpt/actions/action_node.py of the XML Handler component. It affects FoundationAgents MetaGPT versions up to 0.8.1. The issue was published on 2026-04-09 with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and lack of prerequisites.
The vulnerability can be exploited remotely by unauthenticated attackers with low complexity, requiring no user interaction or privileges. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling arbitrary code execution through manipulated XML inputs processed by the dynamic evaluation mechanism.
Advisories referenced in GitHub issues #1928 and #1956, along with VulDB entries, indicate the project was notified early via a pull request but has not yet responded or issued patches. No official mitigations or fixes are available as of the latest reports.
Notably, an exploit has been publicly disclosed and may be actively used. MetaGPT, as a multi-agent framework leveraging large language models, introduces AI/ML-specific risks where XML handling flaws could propagate through agent workflows, amplifying potential impacts in automated decision-making systems.
Details
- CWE(s)