CVE-2026-5974
Published: 09 April 2026
Summary
CVE-2026-5974 is a medium-severity Command Injection (CWE-77) vulnerability. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A vulnerability was identified in FoundationAgents MetaGPT up to version 0.8.1, specifically an OS command injection flaw in the Bash.run function within the metagpt/tools/libs/terminal.py library. The issue stems from improper handling of inputs to the affected function and is tracked under CWE-77 and CWE-78, with a CVSS 4.0 score of 6.9 reflecting network-accessible impact on confidentiality, integrity, and availability.
Remote attackers without authentication can exploit the flaw to inject and execute arbitrary operating system commands, achieving limited control over the affected system. The project maintainers were notified of the issue via a pull request prior to disclosure but have not yet implemented a fix.
The associated GitHub issue and pull request indicate no official patch or mitigation guidance is currently available. Exploitation probability rose from a low baseline to a peak of 0.0176 shortly after publication before receding, signaling transient post-disclosure interest in the vulnerability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-21072
Vulnerability details
A vulnerability was determined in FoundationAgents MetaGPT up to 0.8.1. The affected element is the function Bash.run in the library metagpt/tools/libs/terminal.py. This manipulation causes os command injection. The attack is possible to be carried out remotely. The project was informed…
more
of the problem early through a pull request but has not reacted yet.
- CWE(s)
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: metagpt
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in Bash.run enables remote arbitrary command execution on Unix-like systems (T1059.004) and exploitation of public-facing applications (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validating untrusted inputs to the Bash.run function to block OS command injection attacks.
Mandates identification, reporting, and correction of flaws like the command injection vulnerability in MetaGPT up to 0.8.1.
Limits the privileges of the MetaGPT process executing Bash.run, reducing potential impact of injected commands.