CVE-2026-5972
Published: 09 April 2026
Summary
CVE-2026-5972 is a medium-severity Command Injection (CWE-77) vulnerability. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A vulnerability has been identified in FoundationAgents MetaGPT versions up to 0.8.1, specifically in the Terminal.run_command function within the metagpt/tools/libs/terminal.py library. The flaw stems from improper handling of input that permits OS command injection, tracked under CWE-77 and CWE-78, and carries a CVSS 4.0 score of 6.9 reflecting network-accessible impact on confidentiality, integrity, and availability without requiring authentication or user interaction.
Remote attackers can exploit the issue by supplying crafted input to the affected function, enabling arbitrary command execution on the underlying system. Public disclosure of the exploit means it is available for potential use by threat actors targeting unpatched MetaGPT deployments.
The project repository references a patch identified as d04ffc8dc67903e8b327f78ec121df5e190ffc7b that addresses the command injection vector, and applying this update is stated as the recommended remediation.
The associated EPSS score rose from a low baseline to a peak of 0.0176 shortly after the April 2026 disclosure before receding to its current value of 0.0046, indicating a temporary increase in observed exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-21049
Vulnerability details
A vulnerability has been found in FoundationAgents MetaGPT up to 0.8.1. This issue affects the function Terminal.run_command in the library metagpt/tools/libs/terminal.py. The manipulation leads to os command injection. Remote exploitation of the attack is possible. The exploit has been disclosed…
more
to the public and may be used. The identifier of the patch is d04ffc8dc67903e8b327f78ec121df5e190ffc7b. Applying a patch is the recommended action to fix this issue.
- CWE(s)
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: metagpt
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in network-accessible MetaGPT terminal function enables remote exploitation of public-facing application (T1190) and arbitrary OS command execution via command/scripting interpreter (T1059).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates OS command injection by requiring validation of untrusted inputs to the Terminal.run_command function against expected syntax and semantics.
Requires timely remediation of the specific flaw through application of the patch in commit d04ffc8dc67903e8b327f78ec121df5e190ffc7b.
Limits the scope and impact of injected OS commands by enforcing least privilege on the MetaGPT process executing terminal commands.