Skip to main content

Metagpt CVE-2026-6109

| EUVD-2026-21694 LOW
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-04-12 VulDB GHSA-w287-wwhf-95vv
CSRF Metagpt
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

8
PoC Detected
Apr 29, 2026 - 18:46 vuln.today
Public exploit code
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
5.3 (MEDIUM) 2.1 (LOW)
CVSS changed
Apr 12, 2026 - 02:22 NVD
4.3 (MEDIUM) 5.3 (MEDIUM)
Analysis Generated
Apr 12, 2026 - 01:47 vuln.today
EUVD ID Assigned
Apr 12, 2026 - 01:45 euvd
EUVD-2026-21694
Analysis Generated
Apr 12, 2026 - 01:45 vuln.today
CVE Published
Apr 12, 2026 - 01:30 nvd
LOW 2.1

DescriptionCVE.org

A vulnerability was determined in FoundationAgents MetaGPT up to 0.8.1. The impacted element is the function evaluateCode of the file metagpt/environment/minecraft/mineflayer/index.js of the component Mineflayer HTTP API. Executing a manipulation can lead to cross-site request forgery. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Cross-site request forgery in FoundationAgents MetaGPT through version 0.8.1 allows unauthenticated remote attackers to perform unauthorized actions via the evaluateCode function in the Mineflayer HTTP API component. The vulnerability requires user interaction (UI:R) and has limited integrity impact, but publicly available exploit code exists and the vendor has not yet responded to early notification.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker crafts malicious web page
Delivery
User visits page while authenticated to MetaGPT
Exploit
Browser sends forged CSRF request to Mineflayer API
Execution
evaluateCode function processes request without token validation
Impact
Attacker-controlled code executes with user privileges
Sign in to reveal

Vulnerability AssessmentAI

Risk Assessment While the CVSS score of 4.3 indicates low severity, the risk assessment reveals a middle-ground real-world priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker creates a malicious website containing JavaScript that submits a forged request to the MetaGPT Mineflayer HTTP API evaluateCode endpoint. When a user visiting the attacker's site has an active MetaGPT session, the browser automatically includes session cookies, causing the forged request to execute. …
Remediation Upgrade FoundationAgents MetaGPT to a version released after 0.8.1 once available. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-6109 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy