CVE-2026-10566
Description
Deserialization vulnerability in MetaGPT allows local code execution via manipulated message data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Deserialization vulnerability in MetaGPT allows local code execution via manipulated message data.
Vulnerability
A deserialization vulnerability exists in FoundationAgents MetaGPT up to version 0.8.2. The Message.check_instruct_content function in metagpt/schema.py improperly handles the mapping argument. When processing serialized instruct_content data, specifically within the mapping branch, attacker-controlled strings are passed to metagpt/utils/serialize.py:actionoutput_str_to_mapping(), which uses eval(). This allows for arbitrary code execution during the deserialization of a Message object [2].
Exploitation
An attacker needs to influence serialized Message data before it is deserialized. This can be achieved by crafting a malicious payload that includes a manipulated instruct_content field with a crafted mapping value. When this payload is deserialized by the application, the eval() function will execute arbitrary Python code [2]. The attack is restricted to local execution [Description].
Impact
Successful exploitation allows an attacker to execute arbitrary Python code with the privileges of the running application. This could lead to a full compromise of the application's environment and any data it can access [2].
Mitigation
FoundationAgents MetaGPT versions prior to 0.8.2 are affected. A fix for this vulnerability has not yet been released, and the project has been informed but has not yet responded [Description, 2]. There are no known workarounds or patches available at this time.
AI Insight generated on Jun 2, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=0.8.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The function `actionoutput_str_to_mapping` uses `eval()` on attacker-controlled input, leading to arbitrary code execution."
Attack vector
An attacker can influence serialized Message data before it is deserialized. By manipulating the `mapping` argument within the `instruct_content` of a Message, an attacker can inject arbitrary Python code. This code is then executed when the Message is deserialized by the `Message.load()` function or related deserialization paths [ref_id=2]. The attack is restricted to local execution [CVSS vector].
Affected code
The vulnerability exists in the `Message.check_instruct_content` function within `metagpt/schema.py` and the `actionoutput_str_to_mapping` function in `metagpt/utils/serialize.py` [ref_id=2]. Specifically, the code at `metagpt/schema.py:251-263` and `metagpt/utils/serialize.py:50-57` is affected [ref_id=2].
What the fix does
The advisory suggests removing the use of `eval()` from the `actionoutput_str_to_mapping` function. It also recommends using a strict parser or a whitelist for supported field type encodings, and rejecting unknown types instead of evaluating arbitrary expressions [ref_id=2]. The project has not yet responded to the issue, so a patch is not available.
Preconditions
- inputAttacker must be able to influence serialized Message data before deserialization.
- configLocal execution is required.
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.