CVE-2026-4516 is an injection vulnerability identified in Foundation Agents MetaGPT, an AI automation and foundation model orchestration tool, affecting versions 0.8.0 and 0.8.1. The vulnerability resides in the DataInterpreter component, specifically in the metagpt/actions/di/write_analysis_code.py file. Injection flaws typically allow attackers to insert malicious code or commands into a program's input, which the system then executes or processes improperly. In this case, the injection can be triggered remotely without requiring user interaction or elevated privileges, increasing the attack surface. The vulnerability's CVSS 4.0 score is 5.3 (medium severity), reflecting its network attack vector, low complexity, no authentication required, and limited impact on confidentiality, integrity, and availability. The vendor was notified early but has not issued any patches or advisories, and no known exploits have been observed in the wild yet, although proof-of-concept exploit code is publicly available. This lack of vendor response and patch availability increases risk for organizations relying on MetaGPT for AI workflow automation. The vulnerability could allow attackers to manipulate or inject unauthorized code during the data interpretation phase, potentially leading to unauthorized data access, code execution, or disruption of AI model workflows. Given the growing adoption of AI orchestration platforms, this vulnerability poses a moderate risk to organizations integrating MetaGPT into their AI pipelines.

The injection vulnerability in MetaGPT can lead to unauthorized code execution or manipulation of AI workflow processes, potentially compromising the confidentiality, integrity, and availability of AI models and data. Attackers could inject malicious code remotely, possibly altering analysis results, corrupting data, or disrupting automated AI tasks. This could result in incorrect AI outputs, data leakage, or denial of service conditions affecting dependent systems. Organizations relying on MetaGPT for critical AI operations may face operational disruptions, reputational damage, and compliance risks if sensitive data is exposed or AI decisions are manipulated. The absence of vendor patches and the public availability of exploit code increase the likelihood of exploitation attempts, especially in environments where MetaGPT instances are exposed to untrusted networks. However, the medium severity rating indicates that the impact is somewhat limited, possibly due to the scope of affected components or mitigations available at the network level.

1. Immediately restrict network access to MetaGPT instances, ensuring they are not exposed to untrusted or public networks. 2. Implement strict input validation and sanitization on all inputs processed by the DataInterpreter component, particularly those handled by metagpt/actions/di/write_analysis_code.py, to prevent injection payloads. 3. Monitor logs and network traffic for unusual or suspicious activity indicative of injection attempts or exploitation. 4. Employ application-layer firewalls or runtime application self-protection (RASP) tools to detect and block injection attacks in real time. 5. Isolate MetaGPT environments from critical production systems to limit potential impact. 6. Engage with the vendor or community to track any forthcoming patches or updates and apply them promptly once available. 7. Consider deploying compensating controls such as containerization or sandboxing of MetaGPT processes to limit the blast radius of a successful attack. 8. Conduct regular security assessments and code reviews focusing on injection vulnerabilities within AI orchestration components.