CVE-2026-6110: MetaGPT has an eval injection in metagpt/strategy/tot.py

April 12, 2026 (updated April 14, 2026)

A vulnerability was identified in FoundationAgents MetaGPT up to 0.8.2. This affects the function generate_thoughts of the file metagpt/strategy/tot.py of the component Tree-of-Thought Solver. The manipulation leads to code injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.

References

github.com/FoundationAgents/MetaGPT
github.com/FoundationAgents/MetaGPT/issues/1933
github.com/FoundationAgents/MetaGPT/pull/1946
github.com/advisories/GHSA-xr7v-m9px-q4qj
nvd.nist.gov/vuln/detail/CVE-2026-6110
vuldb.com/submit/791761
vuldb.com/vuln/356970
vuldb.com/vuln/356970/cti

Code Behaviors & Features

Detect and mitigate CVE-2026-6110 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →