Cyber Resilience

CVE-2026-6110

MediumPublic PoC

Published: 12 April 2026

Published
12 April 2026
Modified
30 April 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0041 32.6th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-6110 is a medium-severity Injection (CWE-74) vulnerability in Deepwisdom Metagpt. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-6110 is a code injection vulnerability affecting FoundationAgents MetaGPT versions up to 0.8.1, specifically in the generate_thoughts function of the metagpt/strategy/tot.py file within the Tree-of-Thought Solver component. Published on 2026-04-12, it is linked to CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-94 (Improper Control of Generation of Code), with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

The vulnerability enables remote attackers requiring no privileges or user interaction to exploit it over the network with low attack complexity, leading to arbitrary code injection. Successful exploitation can result in low-level impacts to confidentiality, integrity, and availability.

References indicate the project was informed early via GitHub issue #1933 but has not responded as of the latest details. A related pull request #1946 appears in the repository, potentially offering a fix, with additional submission and vulnerability details on VulDB (vuldb.com/submit/791761 and vuldb.com/vuln/356970). The exploit is publicly available and might be used.

MetaGPT, an AI agent framework incorporating Tree-of-Thought reasoning, has no reported real-world exploitation at this time.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was identified in FoundationAgents MetaGPT up to 0.8.1. This affects the function generate_thoughts of the file metagpt/strategy/tot.py of the component Tree-of-Thought Solver. The manipulation leads to code injection. It is possible to initiate the attack remotely. The exploit…

more

is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: metagpt

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
Why these techniques?

Remote code injection vulnerability in Python-based MetaGPT framework enables exploitation of public-facing applications (T1190) and arbitrary Python code execution via T1059.006.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-0761Same product: Deepwisdom Metagpt
CVE-2026-0760Same product: Deepwisdom Metagpt
CVE-2026-5631Shared CWE-74, CWE-94
CVE-2026-2008Shared CWE-74, CWE-94
CVE-2026-5970Shared CWE-74, CWE-94
CVE-2026-4998Shared CWE-74, CWE-94
CVE-2026-5584Shared CWE-74, CWE-94
CVE-2026-3409Shared CWE-74, CWE-94
CVE-2026-5971Shared CWE-94
CVE-2026-4965Shared CWE-94

Affected Assets

deepwisdom
metagpt
0.8.0, 0.8.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely remediation of the known code injection flaw in MetaGPT's generate_thoughts function to eliminate the vulnerability.

prevent

Requires validation of inputs to the Tree-of-Thought Solver to neutralize special elements and prevent remote code injection.

prevent

Filters outputs from generate_thoughts to properly neutralize special elements before use by downstream components, addressing CWE-74.

References