CVE-2026-6109 Overview
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in FoundationAgents MetaGPT versions up to 0.8.1. The vulnerability exists within the evaluateCode function located in the metagpt/environment/minecraft/mineflayer/index.js file, which is part of the Mineflayer HTTP API component. This flaw allows remote attackers to execute unauthorized actions by tricking authenticated users into making unintended requests to the vulnerable API endpoint.
Critical Impact
Remote attackers can exploit this CSRF vulnerability to manipulate the Mineflayer HTTP API, potentially leading to unauthorized code execution within the Minecraft environment managed by MetaGPT. The exploit has been publicly disclosed and may be actively utilized.
Affected Products
- FoundationAgents MetaGPT versions up to 0.8.1
- MetaGPT Mineflayer HTTP API component
- Systems utilizing the evaluateCode function in metagpt/environment/minecraft/mineflayer/index.js
Discovery Timeline
- April 12, 2026 - CVE-2026-6109 published to NVD
- April 13, 2026 - Last updated in NVD database
Technical Details for CVE-2026-6109
Vulnerability Analysis
This vulnerability is classified as CWE-352 (Cross-Site Request Forgery). The Mineflayer HTTP API in MetaGPT fails to implement proper anti-CSRF protections on the evaluateCode endpoint. When a user with an active session to the MetaGPT application visits a malicious website or clicks a crafted link, the attacker can force the user's browser to send unauthorized requests to the API. Since the vulnerable endpoint lacks CSRF token validation or other request origin verification mechanisms, the server processes these forged requests as legitimate.
The attack can be initiated remotely across the network, requiring no authentication from the attacker but necessitating some form of user interaction—typically clicking a malicious link or visiting a compromised webpage while authenticated to the MetaGPT application.
Root Cause
The root cause of this vulnerability is the absence of CSRF protection mechanisms in the evaluateCode function within the Mineflayer HTTP API. The API endpoint accepts and processes state-changing requests without verifying the origin of the request or requiring anti-CSRF tokens. This architectural oversight allows attackers to craft malicious requests that are indistinguishable from legitimate user requests from the server's perspective.
Attack Vector
The attack is executed remotely via the network. An attacker crafts a malicious webpage or email containing a hidden form or JavaScript that automatically submits a request to the vulnerable evaluateCode endpoint. When an authenticated MetaGPT user visits this malicious content, their browser automatically sends the forged request along with their session cookies, causing the server to execute the attacker's specified code within the Minecraft Mineflayer environment.
The vulnerability allows manipulation of the integrity of the application, enabling attackers to execute arbitrary commands within the context of the victim's session. Additional technical details regarding the exploitation mechanism can be found in GitHub Issue #1932 and the VulDB entry.
Detection Methods for CVE-2026-6109
Indicators of Compromise
- Unexpected HTTP requests to the /evaluateCode endpoint originating from external referrers or with suspicious origin headers
- Log entries showing code execution requests without corresponding user-initiated actions in the application interface
- Unusual Minecraft bot behaviors or commands executed without direct user input through the legitimate MetaGPT interface
Detection Strategies
- Monitor HTTP request logs for the Mineflayer API endpoint and flag requests with suspicious Referer or Origin headers
- Implement web application firewall (WAF) rules to detect potential CSRF attacks targeting the evaluateCode function
- Enable detailed logging on the MetaGPT application to capture all API requests with their associated session and origin information
- Deploy behavioral analysis to detect anomalous patterns in code execution requests
Monitoring Recommendations
- Configure alerting for any requests to the metagpt/environment/minecraft/mineflayer/index.js endpoints from untrusted origins
- Review application logs regularly for signs of automated or scripted requests that bypass normal user workflows
- Implement real-time monitoring of API endpoint access patterns to identify potential CSRF exploitation attempts
How to Mitigate CVE-2026-6109
Immediate Actions Required
- Restrict access to the Mineflayer HTTP API to trusted networks or localhost only until a patch is available
- Implement network-level access controls to limit who can reach the vulnerable endpoint
- Consider disabling the evaluateCode functionality if it is not essential to operations
- Review recent API logs for signs of exploitation and investigate any suspicious activity
Patch Information
As of the last update on April 13, 2026, the MetaGPT project has been informed of this vulnerability through GitHub Issue #1932 but has not yet responded with an official patch. Users should monitor the MetaGPT GitHub repository for security updates and apply patches as soon as they become available.
Workarounds
- Implement a reverse proxy with CSRF token validation in front of the Mineflayer HTTP API
- Configure SameSite=Strict cookie attributes for any session cookies used by the MetaGPT application
- Add custom middleware to validate the Origin and Referer headers on all incoming requests to the API
- Use network segmentation to isolate the MetaGPT environment from untrusted network access
# Example: Restrict API access using iptables
# Allow only localhost access to the Mineflayer API port (adjust port number as needed)
iptables -A INPUT -p tcp --dport 3000 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 3000 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
