CVE-2026-5972
Published: 09 April 2026
Summary
CVE-2026-5972 is a high-severity Command Injection (CWE-77) vulnerability. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 38.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates OS command injection by requiring validation of untrusted inputs to the Terminal.run_command function against expected syntax and semantics.
Requires timely remediation of the specific flaw through application of the patch in commit d04ffc8dc67903e8b327f78ec121df5e190ffc7b.
Limits the scope and impact of injected OS commands by enforcing least privilege on the MetaGPT process executing terminal commands.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in network-accessible MetaGPT terminal function enables remote exploitation of public-facing application (T1190) and arbitrary OS command execution via command/scripting interpreter (T1059).
NVD Description
A vulnerability has been found in FoundationAgents MetaGPT up to 0.8.1. This issue affects the function Terminal.run_command in the library metagpt/tools/libs/terminal.py. The manipulation leads to os command injection. Remote exploitation of the attack is possible. The exploit has been disclosed…
more
to the public and may be used. The identifier of the patch is d04ffc8dc67903e8b327f78ec121df5e190ffc7b. Applying a patch is the recommended action to fix this issue.
Deeper analysisAI
CVE-2026-5972 is an OS command injection vulnerability affecting FoundationAgents MetaGPT versions up to 0.8.1. The issue resides in the Terminal.run_command function within the metagpt/tools/libs/terminal.py library, where improper input handling allows manipulation leading to arbitrary command execution on the host system. This flaw is classified under CWE-77 (Command Injection) and CWE-78 (OS Command Injection), with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network-accessible nature and lack of prerequisites.
Remote attackers can exploit this vulnerability without authentication or user interaction by sending specially crafted inputs to trigger the vulnerable function. Successful exploitation enables partial compromise of confidentiality, integrity, and availability, such as executing unauthorized OS commands on the affected system, potentially leading to data exfiltration, modification, or disruption depending on the attacker's privileges and environment.
Mitigation is addressed via a patch in commit d04ffc8dc67903e8b327f78ec121df5e190ffc7b, available in the MetaGPT repository; applying this patch is the recommended fix. Related advisories include GitHub issue #1929 in the FoundationAgents/MetaGPT repository and entries on VulDB (vuln/356526 and submit/791745), which detail the vulnerability and patch.
The exploit has been publicly disclosed and may be actively used, urging immediate patching for MetaGPT deployments, particularly in AI agent frameworks where terminal interactions are common.
Details
- CWE(s)