CVE-2026-6111 Overview
A Server-Side Request Forgery (SSRF) vulnerability has been discovered in FoundationAgents MetaGPT, an open-source multi-agent framework. The vulnerability affects the decode_image function within the file metagpt/utils/common.py. Through manipulation of the img_url_or_b64 argument, an attacker can forge server-side requests to arbitrary destinations, potentially accessing internal resources or performing unauthorized actions on behalf of the vulnerable server.
The exploit has been publicly disclosed, and the project maintainers were notified through a GitHub issue but have not yet responded.
Critical Impact
Remote attackers with low privileges can exploit this SSRF vulnerability to access internal services, probe network infrastructure, or pivot to attack other systems accessible from the vulnerable MetaGPT server.
Affected Products
- FoundationAgents MetaGPT versions up to and including 0.8.1
- Applications integrating the vulnerable decode_image function from metagpt/utils/common.py
- Deployments processing user-controlled image URLs through the affected component
Discovery Timeline
- April 12, 2026 - CVE-2026-6111 published to NVD
- April 13, 2026 - Last updated in NVD database
Technical Details for CVE-2026-6111
Vulnerability Analysis
This SSRF vulnerability (CWE-918) exists in the image decoding functionality of MetaGPT. The decode_image function in metagpt/utils/common.py accepts a parameter img_url_or_b64 that can be either a base64-encoded image or a URL. When a URL is provided, the application fetches the resource without proper validation of the destination, allowing attackers to craft malicious requests that the server will execute.
The vulnerability enables authenticated attackers to make the server initiate HTTP requests to arbitrary internal or external endpoints. This can lead to information disclosure of internal network topology, access to cloud metadata services (such as AWS IMDSv1), or interaction with internal APIs that should not be externally accessible.
Root Cause
The root cause of this vulnerability is insufficient input validation and URL sanitization in the decode_image function. The code fails to implement proper allowlisting or blocklisting mechanisms to restrict which URLs the server can fetch. When processing the img_url_or_b64 argument, the function does not verify whether the provided URL points to a safe, external resource or potentially dangerous internal endpoints.
Attack Vector
The attack vector is network-based, requiring authenticated access with low privileges. An attacker can supply a malicious URL as the img_url_or_b64 parameter, directing the MetaGPT server to make requests to internal resources. Typical attack scenarios include:
- Accessing cloud metadata endpoints (e.g., http://169.254.169.254/latest/meta-data/)
- Scanning internal network ports and services
- Retrieving sensitive configuration files from internal web servers
- Interacting with internal APIs that lack additional authentication
The vulnerability can be exploited remotely without user interaction. Technical details and discussion are available in the GitHub Issue #1934 filed by the security researcher.
Detection Methods for CVE-2026-6111
Indicators of Compromise
- Unusual outbound HTTP requests from the MetaGPT server to internal IP ranges (e.g., 10.x.x.x, 172.16.x.x, 192.168.x.x)
- Requests to cloud metadata endpoints such as 169.254.169.254 or metadata.google.internal
- Anomalous access patterns to the decode_image function with URL parameters containing internal hostnames
- Increased network traffic to previously uncontacted internal services originating from the MetaGPT application
Detection Strategies
- Implement network monitoring to alert on requests from the MetaGPT server to RFC 1918 private IP addresses
- Deploy web application firewall (WAF) rules to detect and block SSRF patterns in the img_url_or_b64 parameter
- Enable detailed logging for all outbound HTTP requests made by the application
- Monitor for access attempts to sensitive cloud metadata URLs from application servers
Monitoring Recommendations
- Configure network segmentation alerts for unexpected cross-segment traffic from application servers
- Set up DNS query logging to identify resolution attempts for internal hostnames from the MetaGPT service
- Implement egress filtering rules and monitor for bypass attempts
- Review application logs for patterns indicating SSRF probing activity
How to Mitigate CVE-2026-6111
Immediate Actions Required
- Restrict network egress from servers running MetaGPT to only necessary external endpoints
- Implement URL validation to block requests to private IP ranges and localhost
- Deploy cloud metadata endpoint protection (such as enabling IMDSv2 on AWS with hop limit of 1)
- Consider disabling the URL-based image loading functionality if not required by your deployment
- Monitor the GitHub Pull Request #1941 for an official fix
Patch Information
As of the last modification date, no official patch has been released by the FoundationAgents project. A pull request addressing this vulnerability is available at GitHub Pull Request #1941. Organizations should monitor the MetaGPT GitHub repository for updates and apply patches as soon as they become available. Additional vulnerability details can be found at VulDB #356971.
Workarounds
- Implement a proxy layer that validates and filters all outbound URL requests from the MetaGPT application
- Use network-level controls to block requests to internal IP ranges from the application server
- Modify the decode_image function locally to only accept base64-encoded images, disabling URL fetching entirely
- Deploy the application in a network segment with strict egress filtering to prevent access to sensitive internal resources
# Example iptables rules to block SSRF to internal networks
# Apply these on the MetaGPT server
# Block access to private IP ranges
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -j DROP
# Block cloud metadata endpoints
iptables -A OUTPUT -d 169.254.169.254 -j DROP
# Block localhost loopback from application
iptables -A OUTPUT -d 127.0.0.0/8 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
