Cyber Resilience

CVE-2026-5971

Medium

Published: 09 April 2026

Published
09 April 2026
Modified
13 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0009 25.5th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5971 is a medium-severity Code Injection (CWE-94) vulnerability. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the LLM/Generative AI Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-5971 is a code injection vulnerability stemming from improper neutralization of directives in dynamically evaluated code (CWE-94, CWE-95) in the ActionNode.xml_fill function within the file metagpt/actions/action_node.py of the XML Handler component. It affects FoundationAgents MetaGPT versions up to 0.8.1. The issue was published on 2026-04-09 with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and lack of prerequisites.

The vulnerability can be exploited remotely by unauthenticated attackers with low complexity, requiring no user interaction or privileges. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling arbitrary code execution through manipulated XML inputs processed by the dynamic evaluation mechanism.

Advisories referenced in GitHub issues #1928 and #1956, along with VulDB entries, indicate the project was notified early via a pull request but has not yet responded or issued patches. No official mitigations or fixes are available as of the latest reports.

Notably, an exploit has been publicly disclosed and may be actively used. MetaGPT, as a multi-agent framework leveraging large language models, introduces AI/ML-specific risks where XML handling flaws could propagate through agent workflows, amplifying potential impacts in automated decision-making systems.

EU & UK References

Vulnerability details

A flaw has been found in FoundationAgents MetaGPT up to 0.8.1. This vulnerability affects the function ActionNode.xml_fill of the file metagpt/actions/action_node.py of the component XML Handler. Executing a manipulation can lead to improper neutralization of directives in dynamically evaluated code.…

more

The attack may be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through a pull request but has not reacted yet.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: metagpt

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
Why these techniques?

Remote unauthenticated code injection leading to arbitrary code execution in a public-facing Python-based application directly maps to T1190 for exploitation of public-facing apps and T1059.006 for Python command/script execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-28505Shared CWE-94, CWE-95
CVE-2025-54322Shared CWE-94, CWE-95
CVE-2025-53890Shared CWE-94
CVE-2026-31220Shared CWE-94
CVE-2026-0863Shared CWE-94, CWE-95
CVE-2024-57609Shared CWE-94
CVE-2026-35002Shared CWE-95
CVE-2026-31231Shared CWE-94
CVE-2025-54550Shared CWE-94
CVE-2026-4965Shared CWE-94, CWE-95

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly addresses the improper neutralization of directives in XML inputs to ActionNode.xml_fill by requiring validation to prevent code injection.

prevent

SI-2 ensures timely identification, reporting, and correction of flaws like CVE-2026-5971 in MetaGPT, preventing exploitation through patching or mitigation.

detect

RA-5 requires vulnerability scanning to detect the presence of CVE-2026-5971 in MetaGPT deployments, enabling prioritized remediation.

References