{"api_version":"1","generated_at":"2026-04-12T20:38:07+00:00","cve":"CVE-2026-6109","urls":{"html":"https://cve.report/CVE-2026-6109","api":"https://cve.report/api/cve/CVE-2026-6109.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-6109","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-6109"},"summary":{"title":"FoundationAgents MetaGPT Mineflayer HTTP API index.js evaluateCode cross-site request forgery","description":"A vulnerability was determined in FoundationAgents MetaGPT up to 0.8.1. The impacted element is the function evaluateCode of the file metagpt/environment/minecraft/mineflayer/index.js of the component Mineflayer HTTP API. Executing a manipulation can lead to cross-site request forgery. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.","state":"PUBLISHED","assigner":"VulDB","published_at":"2026-04-12 02:16:00","updated_at":"2026-04-12 02:16:00"},"problem_types":["CWE-352","CWE-862","CWE-352 Cross-Site Request Forgery","CWE-862 Missing Authorization"],"metrics":[{"version":"4.0","source":"cna@vuldb.com","type":"Secondary","score":"5.3","severity":"MEDIUM","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","data":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"PASSIVE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}},{"version":"4.0","source":"CNA","type":"DECLARED","score":"5.3","severity":"MEDIUM","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P","data":{"baseScore":5.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P","version":"4.0"}},{"version":"3.1","source":"cna@vuldb.com","type":"Primary","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R","data":{"baseScore":4.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R","version":"3.1"}},{"version":"3.0","source":"CNA","type":"DECLARED","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R","data":{"baseScore":4.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R","version":"3.0"}},{"version":"2.0","source":"cna@vuldb.com","type":"Secondary","score":"5","severity":"","vector":"AV:N/AC:L/Au:N/C:N/I:P/A:N","data":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:P/A:N","baseScore":5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE"}},{"version":"2.0","source":"CNA","type":"DECLARED","score":"5","severity":"","vector":"AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR","data":{"baseScore":5,"vectorString":"AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR","version":"2.0"}}],"references":[{"url":"https://vuldb.com/submit/791759","name":"https://vuldb.com/submit/791759","refsource":"cna@vuldb.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://vuldb.com/vuln/356969","name":"https://vuldb.com/vuln/356969","refsource":"cna@vuldb.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/FoundationAgents/MetaGPT/","name":"https://github.com/FoundationAgents/MetaGPT/","refsource":"cna@vuldb.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/FoundationAgents/MetaGPT/issues/1932","name":"https://github.com/FoundationAgents/MetaGPT/issues/1932","refsource":"cna@vuldb.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://vuldb.com/vuln/356969/cti","name":"https://vuldb.com/vuln/356969/cti","refsource":"cna@vuldb.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-6109","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-6109","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"FoundationAgents","product":"MetaGPT","version":"affected 0.8.0","platforms":[]},{"source":"CNA","vendor":"FoundationAgents","product":"MetaGPT","version":"affected 0.8.1","platforms":[]}],"timeline":[{"source":"CNA","time":"2026-04-11T00:00:00.000Z","lang":"en","value":"Advisory disclosed"},{"source":"CNA","time":"2026-04-11T02:00:00.000Z","lang":"en","value":"VulDB entry created"},{"source":"CNA","time":"2026-04-11T09:54:47.000Z","lang":"en","value":"VulDB entry last update"}],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Eric-d (VulDB User)","lang":"en"},{"source":"CNA","value":"VulDB CNA Team","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"modules":["Mineflayer HTTP API"],"product":"MetaGPT","vendor":"FoundationAgents","versions":[{"status":"affected","version":"0.8.0"},{"status":"affected","version":"0.8.1"}]}],"credits":[{"lang":"en","type":"reporter","value":"Eric-d (VulDB User)"},{"lang":"en","type":"coordinator","value":"VulDB CNA Team"}],"descriptions":[{"lang":"en","value":"A vulnerability was determined in FoundationAgents MetaGPT up to 0.8.1. The impacted element is the function evaluateCode of the file metagpt/environment/minecraft/mineflayer/index.js of the component Mineflayer HTTP API. Executing a manipulation can lead to cross-site request forgery. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet."}],"metrics":[{"cvssV4_0":{"baseScore":5.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P","version":"4.0"}},{"cvssV3_1":{"baseScore":4.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R","version":"3.1"}},{"cvssV3_0":{"baseScore":4.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R","version":"3.0"}},{"cvssV2_0":{"baseScore":5,"vectorString":"AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR","version":"2.0"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-352","description":"Cross-Site Request Forgery","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-862","description":"Missing Authorization","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-12T01:30:15.439Z","orgId":"1af790b2-7ee1-4545-860a-a788eba489b5","shortName":"VulDB"},"references":[{"name":"VDB-356969 | FoundationAgents MetaGPT Mineflayer HTTP API index.js evaluateCode cross-site request forgery","tags":["vdb-entry","technical-description"],"url":"https://vuldb.com/vuln/356969"},{"name":"VDB-356969 | CTI Indicators (IOB, IOC, IOA)","tags":["signature","permissions-required"],"url":"https://vuldb.com/vuln/356969/cti"},{"name":"Submit #791759 | FoundationAgents MetaGPT 0.8.1 Cross Site Request Forgery (CWE-352)","tags":["third-party-advisory"],"url":"https://vuldb.com/submit/791759"},{"tags":["exploit","issue-tracking"],"url":"https://github.com/FoundationAgents/MetaGPT/issues/1932"},{"tags":["product"],"url":"https://github.com/FoundationAgents/MetaGPT/"}],"timeline":[{"lang":"en","time":"2026-04-11T00:00:00.000Z","value":"Advisory disclosed"},{"lang":"en","time":"2026-04-11T02:00:00.000Z","value":"VulDB entry created"},{"lang":"en","time":"2026-04-11T09:54:47.000Z","value":"VulDB entry last update"}],"title":"FoundationAgents MetaGPT Mineflayer HTTP API index.js evaluateCode cross-site request forgery"}},"cveMetadata":{"assignerOrgId":"1af790b2-7ee1-4545-860a-a788eba489b5","assignerShortName":"VulDB","cveId":"CVE-2026-6109","datePublished":"2026-04-12T01:30:15.439Z","dateReserved":"2026-04-11T07:49:27.735Z","dateUpdated":"2026-04-12T01:30:15.439Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-12 02:16:00","lastModifiedDate":"2026-04-12 02:16:00","problem_types":["CWE-352","CWE-862","CWE-352 Cross-Site Request Forgery","CWE-862 Missing Authorization"],"metrics":{"cvssMetricV40":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"PASSIVE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"cna@vuldb.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}],"cvssMetricV2":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:P/A:N","baseScore":5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE"},"baseSeverity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"6109","Ordinal":"1","Title":"FoundationAgents MetaGPT Mineflayer HTTP API index.js evaluateCo","CVE":"CVE-2026-6109","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"6109","Ordinal":"1","NoteData":"A vulnerability was determined in FoundationAgents MetaGPT up to 0.8.1. The impacted element is the function evaluateCode of the file metagpt/environment/minecraft/mineflayer/index.js of the component Mineflayer HTTP API. Executing a manipulation can lead to cross-site request forgery. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.","Type":"Description","Title":"FoundationAgents MetaGPT Mineflayer HTTP API index.js evaluateCo"}]}}}