CVE-2026-11455
Description
Command injection in MetaGPT's Mermaid rendering allows remote attackers to execute arbitrary commands by manipulating the mermaid.path configuration.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Command injection in MetaGPT's Mermaid rendering allows remote attackers to execute arbitrary commands by manipulating the `mermaid.path` configuration.
Vulnerability
A command injection vulnerability exists in FoundationAgents MetaGPT up to version 0.8.2. The issue resides in the check_cmd_exists function within metagpt/utils/common.py and also in mermaid_to_file within metagpt/utils/mermaid.py. The mermaid.path configuration value is treated as a raw string and embedded directly into shell commands, allowing for injection of arbitrary shell syntax.
Exploitation
An attacker needs to control the mermaid.path setting in the config.yaml file. By setting this value to include shell metacharacters and malicious commands, such as mmdc; /bin/bash -c '...' #, an attacker can achieve arbitrary command execution when MetaGPT attempts to render Mermaid diagrams. This exploitation requires a high degree of complexity and is known to be difficult [1].
Impact
Successful exploitation allows an attacker to execute arbitrary commands on the system with the privileges of the user running MetaGPT. This could lead to unauthorized access, data theft, or further compromise of the affected system.
Mitigation
There is no specific patched version or release date mentioned in the available references. Users are advised to monitor the project's issue tracker [1] for updates. As a workaround, ensure that the mermaid.path configuration is not controlled by untrusted users and is set to a safe, default value if Mermaid rendering is required.
AI Insight generated on Jun 7, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=0.8.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `mermaid.path` configuration value is treated as a raw string and embedded into shell commands without proper sanitization, allowing for command injection."
Attack vector
An attacker can exploit this vulnerability by manipulating the `mermaid.path` field within the `config.yaml` file. This value is directly incorporated into shell commands executed by the `check_cmd_exists` function and the `mermaid_to_file` function. By injecting shell metacharacters into this path, an attacker can execute arbitrary commands with the privileges of the user running MetaGPT. The attack can be initiated remotely if the configuration file is accessible or modifiable by an attacker [ref_id=1].
Affected code
The vulnerability exists in the `check_cmd_exists` function within `metagpt/utils/common.py` and the `mermaid_to_file` function within `metagpt/utils/mermaid.py`. In `check_cmd_exists`, the `command` argument, derived from `mermaid.path`, is directly concatenated into a shell command executed by `os.system()`. In `mermaid_to_file`, the `config.mermaid.path` is joined with other arguments and executed via `asyncio.create_subprocess_shell()` [ref_id=1].
What the fix does
The advisory does not specify a patch or provide remediation guidance. Therefore, the vulnerability remains unaddressed according to the provided information.
Preconditions
- configThe `mermaid.path` configuration value must be controllable by the attacker.
- inputThe attacker must provide a payload containing shell metacharacters within the `mermaid.path` configuration.
Reproduction
Set `mermaid.engine` to `nodejs` in the configuration. Modify `mermaid.path` to include an injected command, for example: `mmdc; /bin/bash -c '...' #`. Trigger a code path that calls `metagpt.utils.mermaid.mermaid_to_file(...)` and observe the execution of the injected command [ref_id=1].
Generated on Jun 7, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.