Cyber Resilience

CVE-2026-5974

Medium

Published: 09 April 2026

Published
09 April 2026
Modified
13 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0046 64.3th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5974 is a medium-severity Command Injection (CWE-77) vulnerability. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A vulnerability was identified in FoundationAgents MetaGPT up to version 0.8.1, specifically an OS command injection flaw in the Bash.run function within the metagpt/tools/libs/terminal.py library. The issue stems from improper handling of inputs to the affected function and is tracked under CWE-77 and CWE-78, with a CVSS 4.0 score of 6.9 reflecting network-accessible impact on confidentiality, integrity, and availability.

Remote attackers without authentication can exploit the flaw to inject and execute arbitrary operating system commands, achieving limited control over the affected system. The project maintainers were notified of the issue via a pull request prior to disclosure but have not yet implemented a fix.

The associated GitHub issue and pull request indicate no official patch or mitigation guidance is currently available. Exploitation probability rose from a low baseline to a peak of 0.0176 shortly after publication before receding, signaling transient post-disclosure interest in the vulnerability.

EU & UK References

Vulnerability details

A vulnerability was determined in FoundationAgents MetaGPT up to 0.8.1. The affected element is the function Bash.run in the library metagpt/tools/libs/terminal.py. This manipulation causes os command injection. The attack is possible to be carried out remotely. The project was informed…

more

of the problem early through a pull request but has not reacted yet.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: metagpt

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

OS command injection in Bash.run enables remote arbitrary command execution on Unix-like systems (T1059.004) and exploitation of public-facing applications (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-9454Shared CWE-77, CWE-78
CVE-2026-6116Shared CWE-77, CWE-78
CVE-2026-6158Shared CWE-77, CWE-78
CVE-2026-7138Shared CWE-77, CWE-78
CVE-2025-9387Shared CWE-77, CWE-78
CVE-2025-15472Shared CWE-77, CWE-78
CVE-2026-2260Shared CWE-77, CWE-78
CVE-2026-9385Shared CWE-77, CWE-78
CVE-2026-4465Shared CWE-77, CWE-78
CVE-2026-7125Shared CWE-77, CWE-78

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validating untrusted inputs to the Bash.run function to block OS command injection attacks.

prevent

Mandates identification, reporting, and correction of flaws like the command injection vulnerability in MetaGPT up to 0.8.1.

prevent

Limits the privileges of the MetaGPT process executing Bash.run, reducing potential impact of injected commands.

References