CVE-2026-11455 - MetaGPT Mermaid path command injection
MetaGPT versions through 0.8.2 can treat the configured Mermaid CLI path as
shell text instead of as an executable path. The vulnerable flow is reached
when MetaGPT renders Mermaid diagrams through the Node.js Mermaid engine. If an
attacker can modify mermaid.path, provide a configuration file, influence an
agent workspace, or land a repository-local MetaGPT configuration that an
automation runner trusts, MetaGPT can execute unintended shell syntax in the
security context of the user or agent process.
This is a useful agent recipe because the safest change is not just “upgrade.” At the time this recipe was written, the public NVD record did not list a fixed vendor release. Reviewers should expect containment, configuration ownership checks, and, where the repository vendors or patches MetaGPT, replacement of shell execution with argv-based subprocess calls.
When to use it
Use this recipe when a repository uses MetaGPT, vendors MetaGPT, runs agent workers that render Mermaid diagrams, or accepts workspace-local configuration that can influence executable paths. It is designed for source-code remediation, agent-workspace trust review, command-injection containment, credential hygiene, and evidence that Mermaid rendering uses trusted executable paths without shell interpretation.
Inputs
- MetaGPT version, Python dependency/lockfile state, worker images, Mermaid
rendering config,
mermaid.pathownership, workspace config loading order, and generated dependency or SBOM reports. - Source paths that load MetaGPT config, render Mermaid diagrams, call
create_subprocess_shell, check command existence, spawn Node/Mermaid, or run agent workspaces with credentials. - Regression fixtures for trusted executable paths, rejected shell syntax, untrusted workspace config, disabled Mermaid rendering, and argv-based subprocess calls without executing exploit payloads.
- Boundary evidence: who can modify config/workspaces, agent runner secrets, cloud/GitHub/package/model-provider credentials, worker owners, logs, and rollout owner.
Affected versions
- Vulnerable:
metagpt <=0.8.2 - Fixed: no public fixed vendor release was listed in NVD as of 2026-06-08
- Affected configuration:
mermaid.engine: nodejswith a mutable or untrustedmermaid.path - Affected code paths: command existence checks and Mermaid rendering that
build shell command strings from
mermaid.path
If a newer vendor release is available by the time you run this recipe, verify
that the fix removes shell interpretation for mermaid.path before treating an
upgrade as sufficient.
Indicator-of-exposure
- The repository pins or installs
metagptat0.8.2or earlier. - The application accepts, stores, merges, or loads MetaGPT configuration from users, pull requests, workspaces, tenants, model output, uploaded archives, or project repositories.
- MetaGPT runs in an agent, notebook, CI job, worker, or service account that has access to source code, credentials, local files, cloud tokens, package tokens, browser sessions, or writable deployment artifacts.
- Mermaid rendering is enabled through the Node.js engine, especially in autonomous report generation, product requirement generation, system design generation, or documentation workflows.
- The repository vendors MetaGPT code or wraps
metagpt.utils.mermaid.mermaid_to_fileormetagpt.utils.common.check_cmd_exists.
Quick checks:
rg -n "metagpt|MetaGPT|mermaid\.path|mermaid:|engine: *nodejs|mmdc|mermaid_to_file|check_cmd_exists|create_subprocess_shell|os\.system" .
python -m pip show metagpt
python -m pip freeze | rg -i "^metagpt=="
Windows:
rg -n "metagpt|MetaGPT|mermaid\.path|mermaid:|engine: *nodejs|mmdc|mermaid_to_file|check_cmd_exists|create_subprocess_shell|os\.system" .
py -m pip show metagpt
py -m pip freeze | rg -i "^metagpt=="
Do not prove exposure by placing shell metacharacters in mermaid.path on a
real workstation, shared runner, production service, or agent workspace.
Remediation strategy
- Prefer a vendor-fixed MetaGPT release once one exists, and verify that the release replaces shell-string execution with argument-vector execution.
- Until a fixed release is available, disable MetaGPT Mermaid rendering for
untrusted workspaces or force
mermaid.engineaway from the Node.js Mermaid path where diagrams are not required. - Treat MetaGPT configuration as code. Only load it from trusted, reviewed locations; do not merge tenant, PR, workspace, model-output, or uploaded archive configuration into the process config.
- Pin
mermaid.pathto a trusted executable path or executable name resolved byshutil.which. Reject values that contain path separators outside an allow-listed install directory, whitespace-only values, shell metacharacters, environment expansions, command separators, or additional arguments. - If the repository vendors or monkey-patches MetaGPT, change command execution
to use
subprocess.run([...], shell=False)andasyncio.create_subprocess_exec(...). Keep every CLI flag and file path as a separate argv element. - Run MetaGPT diagram generation in a least-privilege environment with no long-lived credentials and no writable access outside the expected workspace.
- Rotate credentials if a vulnerable MetaGPT worker processed untrusted config or untrusted workspaces while Mermaid rendering was enabled.
The prompt
You are remediating CVE-2026-11455, a FoundationAgents MetaGPT command
injection issue through the Mermaid CLI path configuration. Produce exactly one
output:
- A reviewer-ready PR/change request that removes exposure, adds safe
regression tests, and documents operator cleanup, or
- TRIAGE.md if this repository does not install MetaGPT, load MetaGPT
configuration, vendor the vulnerable code, or run MetaGPT Mermaid rendering.
## Rules
- Scope only CVE-2026-11455 and directly related MetaGPT Mermaid execution
hardening.
- Treat API keys, model provider tokens, source code, workspace files,
browser/session data, cloud credentials, package registry tokens, generated
artifacts, and agent transcripts as sensitive.
- Do not run a live command-injection payload, add shell metacharacters to a
real `mermaid.path`, execute untrusted MetaGPT configuration, or clone exploit
repositories.
- Do not make the alert disappear by deleting required documentation,
diagrams, provenance, or audit artifacts without a documented replacement.
- Do not auto-merge.
## Steps
1. Inventory every MetaGPT use controlled by this repository: dependency
manifests, lockfiles, Dockerfiles, devcontainers, notebooks, CI jobs,
workers, agent launchers, examples, docs, vendored source, patches, and
generated SBOMs.
2. Determine every resolved MetaGPT version. Treat `metagpt <=0.8.2` as
vulnerable unless a vendor advisory or reviewed patch proves otherwise.
3. Search for MetaGPT configuration sources: `config.yaml`, `mermaid.path`,
`mermaid.engine`, workspace-local config, tenant config, PR-supplied config,
uploaded archives, generated files, and model-produced settings.
4. Search for Mermaid rendering execution paths:
`metagpt.utils.common.check_cmd_exists`,
`metagpt.utils.mermaid.mermaid_to_file`, `os.system`,
`subprocess.*shell=True`, `asyncio.create_subprocess_shell`, `mmdc`, and
wrappers around PRD, design, report, or documentation generation.
5. If the repository does not install MetaGPT, load MetaGPT config, vendor the
vulnerable code, or run MetaGPT diagram generation, stop with `TRIAGE.md`
listing checked files and package-manager evidence.
6. If a vendor-fixed MetaGPT release exists, upgrade to that release or later.
Refresh lockfiles, images, SBOMs, docs, and dependency reports. Confirm the
release no longer passes `mermaid.path` through a shell.
7. If no vendor-fixed release is available or this repository vendors MetaGPT,
contain first:
- disable Mermaid rendering for untrusted workspaces;
- reject repository-local, tenant, uploaded, or model-generated overrides of
`mermaid.path`;
- require a trusted default path for `mmdc`;
- run diagram generation without long-lived credentials.
8. Patch owned code or vendored MetaGPT code:
- resolve the executable with `shutil.which` or an allow-listed absolute
path;
- validate that the executable is a single command path, not a command line;
- pass arguments as a list to `subprocess.run(..., shell=False)` or
`asyncio.create_subprocess_exec(...)`;
- keep input file, output file, width, height, and Puppeteer config as
separate argv elements;
- fail closed with a non-secret error when the executable is missing or
invalid.
9. Add regression tests with inert inputs only:
- vulnerable MetaGPT versions are rejected or contained;
- untrusted configuration cannot override `mermaid.path`;
- command strings with separators or extra arguments are rejected before
execution;
- the renderer calls an argv-based subprocess API, not a shell API;
- logs do not include secrets, full workspace contents, or exploit payloads.
10. Add a PR body section named `CVE-2026-11455 operator actions` that states:
- MetaGPT versions before and after;
- whether Mermaid rendering is disabled, upgraded, or locally patched;
- which configuration sources are trusted and which are rejected;
- whether vulnerable workers processed untrusted workspaces or configs;
- whether credentials should be rotated;
- which validation commands passed.
11. Run relevant validation: dependency install, lockfile integrity,
unit tests for config validation and argv subprocess execution, lint,
typecheck, container build, SBOM refresh, and a safe Mermaid render smoke
test that uses a trusted executable path and no attacker-controlled shell
syntax.
12. Use PR title:
`fix(sec): remediate CVE-2026-11455 in MetaGPT Mermaid rendering`.
## Stop conditions
- No controlled MetaGPT install, config loader, vendored code, wrapper, or
Mermaid rendering path exists.
- A fixed MetaGPT release is not available and local patching is outside this
repository's ownership; document containment and the upstream owner in
`TRIAGE.md`.
- Validation would require running an exploit payload, executing untrusted
configuration, or exposing secrets.
- The only affected worker or image is externally managed; document the owner,
required fixed behavior, and temporary containment.
- Validation fails for unrelated pre-existing reasons; document those failures
instead of broadening scope.
Output contract
- A reviewer-ready PR or change request that upgrades or contains MetaGPT, pins trusted Mermaid executable paths, replaces owned shell execution with argv-based subprocess calls, and documents credential/operator review.
- Or a
TRIAGE.mdfile that lists inspected dependencies/config/workers, owner, observed version, Mermaid-rendering boundary, required fix, and residual risk. - The output must include exact validation commands and must not execute untrusted config, run exploit payloads, print secrets, or leave workspace config trusted before provenance checks.
Verification - what the reviewer looks for
- No repository-controlled dependency, lockfile, image, notebook, worker, or launcher resolves to vulnerable MetaGPT with Mermaid rendering still exposed to untrusted configuration.
- Untrusted workspaces, tenants, pull requests, uploaded archives, and model
output cannot set or override
mermaid.path. - Owned or vendored execution code uses argv-based subprocess calls and
shell=False, or the PR documents why local patching is not owned here. - Tests reject malformed Mermaid executable paths without executing them.
- Operator notes cover credential rotation if vulnerable MetaGPT workers processed untrusted config before containment.
Watch for
- Treating
mermaid.pathas a command line instead of an executable path. - Fixing the preflight command-existence check while leaving the actual Mermaid
render path on
create_subprocess_shell. - Loading workspace-local MetaGPT config before trust decisions are made.
- Running MetaGPT in an agent environment that has broad cloud, GitHub, package-registry, browser, or model-provider credentials.
- Assuming “medium” severity means low urgency in autonomous agent runners.
Related recipes
- Source code injection sink audit
- Source code secrets and data exposure audit
- Source code supply chain build integrity audit
- SAST finding triage and fix
References
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-11455
- GitHub issue: https://github.com/FoundationAgents/MetaGPT/issues/2037
- VulDB CVE entry: https://vuldb.com/cve/CVE-2026-11455