CVE-2026-5971
Published: 09 April 2026
Summary
CVE-2026-5971 is a medium-severity Code Injection (CWE-94) vulnerability. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the LLM/Generative AI Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-5971 is a code injection vulnerability stemming from improper neutralization of directives in dynamically evaluated code (CWE-94, CWE-95) in the ActionNode.xml_fill function within the file metagpt/actions/action_node.py of the XML Handler component. It affects FoundationAgents MetaGPT versions up to 0.8.1. The issue was published on 2026-04-09 with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and lack of prerequisites.
The vulnerability can be exploited remotely by unauthenticated attackers with low complexity, requiring no user interaction or privileges. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling arbitrary code execution through manipulated XML inputs processed by the dynamic evaluation mechanism.
Advisories referenced in GitHub issues #1928 and #1956, along with VulDB entries, indicate the project was notified early via a pull request but has not yet responded or issued patches. No official mitigations or fixes are available as of the latest reports.
Notably, an exploit has been publicly disclosed and may be actively used. MetaGPT, as a multi-agent framework leveraging large language models, introduces AI/ML-specific risks where XML handling flaws could propagate through agent workflows, amplifying potential impacts in automated decision-making systems.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-21004
Vulnerability details
A flaw has been found in FoundationAgents MetaGPT up to 0.8.1. This vulnerability affects the function ActionNode.xml_fill of the file metagpt/actions/action_node.py of the component XML Handler. Executing a manipulation can lead to improper neutralization of directives in dynamically evaluated code.…
more
The attack may be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through a pull request but has not reacted yet.
- CWE(s)
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: metagpt
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated code injection leading to arbitrary code execution in a public-facing Python-based application directly maps to T1190 for exploitation of public-facing apps and T1059.006 for Python command/script execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 directly addresses the improper neutralization of directives in XML inputs to ActionNode.xml_fill by requiring validation to prevent code injection.
SI-2 ensures timely identification, reporting, and correction of flaws like CVE-2026-5971 in MetaGPT, preventing exploitation through patching or mitigation.
RA-5 requires vulnerability scanning to detect the presence of CVE-2026-5971 in MetaGPT deployments, enabling prioritized remediation.