FIND-20260323-015 · 2026-03-23 · Innovation Veille
MetaGPT — Multi-Agent AI Framework with Critical Unpatched RCE CVEs
adhoc
HIGH
MetaGPT (65k stars, MIT license) is a Python multi-agent framework that assigns LLM instances to roles (Product Manager, Architect, Engineer) to autonomously produce software from a natural language prompt. It is architecturally comparable to ODS's ADLC/PDLC pipeline and specialized subagents. However, two unpatched CVSS 9.8 critical code injection/deserialization CVEs (CVE-2026-4515, CVE-2026-4516) affecting up to v0.8.1 have been disclosed with no vendor response; the repo has also been inactive since January 2026.
Source
https://github.com/FoundationAgents/MetaGPT
ODS Impact
ODS's own agent pipeline (ADLC/PDLC, Claude Code subagents) covers the same problem space as MetaGPT but is Rust/TypeScript-native and without MetaGPT's Python-centric RCE surface. MetaGPT could serve as architectural reference for ODS's workflow orchestration design, but must NOT be integrated as a dependency or deployed in any ODS environment given the unpatched critical vulnerabilities. The AFlow paper (ICLR 2025 oral, rank #2 LLM-Agent category) on automated agentic workflow generation is worth reading for ODS agent architecture improvements.
Security Review
License: MIT | Maintenance: STALE | Risk: HIGH | Recommendation: DO_NOT_USE
Tags
ai
multi-agent
llm
python
cve
rce
security