CVE-2026-6109: MetaGPT has an eval injection via a cross-site request forgery attack

April 12, 2026 (updated April 14, 2026)

A vulnerability was determined in FoundationAgents MetaGPT up to 0.8.2. The impacted element is the function evaluateCode of the file metagpt/environment/minecraft/mineflayer/index.js of the component Mineflayer HTTP API. Executing a manipulation can lead to cross-site request forgery. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.

References

github.com/FoundationAgents/MetaGPT
github.com/FoundationAgents/MetaGPT/issues/1932
github.com/advisories/GHSA-w287-wwhf-95vv
nvd.nist.gov/vuln/detail/CVE-2026-6109
vuldb.com/submit/791759
vuldb.com/vuln/356969
vuldb.com/vuln/356969/cti

Code Behaviors & Features

Detect and mitigate CVE-2026-6109 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →