EUVD-2026-33872
GHSA-3c3g-7hwg-9qmr
Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A weakness has been identified in FoundationAgents MetaGPT up to 0.8.2. This affects the function Message.check_instruct_content of the file metagpt/schema.py. Executing a manipulation of the argument mapping can lead to deserialization. The attack is restricted to local execution. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
Unsafe deserialization in FoundationAgents MetaGPT versions up to and including 0.8.2 allows a local low-privileged attacker to achieve confidentiality, integrity, and availability impact by manipulating the mapping argument passed to Message.check_instruct_content in metagpt/schema.py. Publicly available exploit code (POC) exists via a GitHub issue report, elevating practical risk despite the local-only attack vector. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local execution - the CVSS vector AV:L explicitly limits this to attackers already present on the target host. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS base score of 5.3 (Medium) reflects a local attack vector (AV:L), low complexity (AC:L), low privileges required (PR:L), no user interaction (UI:N), and limited impact across confidentiality, integrity, and availability (C:L/I:L/A:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a local low-privileged account on a system running MetaGPT crafts a malicious `mapping` payload designed to abuse Python deserialization gadget chains, then triggers the `Message.check_instruct_content` function - accessible through MetaGPT's normal agent message-processing pipeline - with the malicious argument. The public POC at GitHub issue #2038 demonstrates the technique; upon deserialization, attacker-controlled objects are instantiated, enabling limited code execution, local file read/write, or privilege escalation depending on available gadget chains in the Python environment. |
| Remediation | No vendor-released patch has been identified at time of analysis - the FoundationAgents project has not responded to the coordinated disclosure submitted via GitHub issue #2038 (https://github.com/FoundationAgents/MetaGPT/issues/2038). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today