Vulnerabilities ›

CVE-2026-6111

Medium

CWE-918 — Weakness Type

                    Published: Apr 12, 2026                      ·  Modified: Apr 15, 2026                      ·  Source: NVD                

CVSS v3

6.3

🔗 NVD Official

📄 Description (English)

A security flaw has been discovered in FoundationAgents MetaGPT up to 0.8.1. This impacts the function decode_image of the file metagpt/utils/common.py. The manipulation of the argument img_url_or_b64 results in server-side request forgery. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

🤖 AI Executive Summary

CVE-2026-6111 is a server-side request forgery (SSRF) vulnerability in MetaGPT versions up to 0.8.1 affecting the decode_image function in metagpt/utils/common.py. The vulnerability allows remote attackers to manipulate the img_url_or_b64 parameter to perform unauthorized server requests.

📄 Description (Arabic)

ثغرة SSRF في MetaGPT تسمح للمهاجمين بمعالجة معامل img_url_or_b64 في وظيفة decode_image لتنفيذ طلبات HTTP غير مصرح بها من خادم التطبيق. يمكن استخدام هذه الثغرة للوصول إلى الموارد الداخلية أو إجراء هجمات على أنظمة أخرى.

🤖 ملخص تنفيذي (AI)

CVE-2026-6111 هو ثغرة في طلب الخادم من جانب الخادم (SSRF) في إصدارات MetaGPT حتى 0.8.1 تؤثر على وظيفة decode_image. تسمح الثغرة للمهاجمين البعيدين بمعالجة معاملات معينة لتنفيذ طلبات خادم غير مصرح بها.

🤖 AI Intelligence Analysis Analyzed: May 19, 2026 07:07

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: medium

🏢 Affected Saudi Sectors

government telecom energy banking

🎯 MITRE ATT&CK Techniques

T1190 T1498 T1557

⚖️ Saudi Risk Score (AI)

6.0

/ 10.0

🔧 Remediation Steps (English)

Upgrade MetaGPT to version 0.8.2 or later immediately. Implement input validation and sanitization for img_url_or_b64 parameters. Deploy network segmentation to restrict outbound connections from affected systems. Monitor for suspicious image URL requests and implement Web Application Firewall (WAF) rules to block SSRF patterns.

🔧 خطوات المعالجة (العربية)

قم بترقية MetaGPT إلى الإصدار 0.8.2 أو أحدث فوراً. طبق التحقق من صحة المدخلات وتنظيفها لمعاملات img_url_or_b64. قم بنشر تقسيم الشبكة لتقييد الاتصالات الصادرة من الأنظمة المتأثرة. راقب طلبات عناوين URL للصور المريبة وطبق قواعد جدار الحماية لحجب أنماط SSRF.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

2.1.1 2.1.2 2.2.1

🔵 SAMA CSF

ID.RA-1 PR.DS-1 PR.IP-1

🟡 ISO 27001:2022

A.14.2.1 A.14.2.5 A.13.1.1

🔗 References & Sources 6

🔗

https://github.com/FoundationAgents/MetaGPT/

cna@vuldb.com

🔗

https://github.com/FoundationAgents/MetaGPT/issues/1934

cna@vuldb.com

🔗

https://github.com/FoundationAgents/MetaGPT/pull/1941

cna@vuldb.com

🔗

https://vuldb.com/submit/791762

cna@vuldb.com

🔗

https://vuldb.com/vuln/356971

cna@vuldb.com

🔗

https://vuldb.com/vuln/356971/cti

cna@vuldb.com

📊 CVSS Score

6.3

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityL — Low / Local

📋 Quick Facts

Severity Medium

CVSS Score6.3

CWECWE-918

EPSS0.05%

Exploit No

Patch ✗ No

Published 2026-04-12

Source Feed nvd

🇸🇦 Saudi Risk Score

6.0

/ 10.0 — Saudi Risk

Priority: MEDIUM

🏷️ Tags

CWE-918

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-6111

💬 Comments

Introduce Yourself

Sign In Required