AgentScope code injection, unauthenticated RCE (CVE-2026-6603)

Vendor-confirmed - CVE-2026-6603 is a high remote code execution vulnerability in AgentScope versions 1.0.18 and earlier that grants an unauthenticated attacker arbitrary command execution on the host system. Upgrade to a version newer than 1.0.18 immediately.

Overview

A high-severity remote code execution (RCE) vulnerability has been identified in the AgentScope framework, versions 1.0.18 and earlier. Tracked as CVE-2026-6603, this flaw allows an unauthenticated remote attacker to execute arbitrary code on affected systems.

Vulnerability Details

The vulnerability exists within the execute_python_code and execute_shell_command functions in the file src/AgentScope/tool/_coding/_python.py. Insufficient input validation allows an attacker to inject malicious code that the system will then execute. The attack can be launched remotely over the network without requiring any user interaction or prior authentication.

Impact

Successful exploitation grants an attacker the ability to run arbitrary commands or code on the host system with the same privileges as the AgentScope application. This can lead to a complete compromise of the server, including data theft, installation of malware, or use of the system as a foothold for further attacks within a network.

Affected Versions

AgentScope versions 1.0.18 and all prior versions are confirmed to be vulnerable.

Remediation

The primary mitigation is to update the AgentScope package. Users should upgrade to a version newer than 1.0.18 immediately. As the vendor has not provided a formal patch or advisory, users should monitor the official AgentScope repository for updates. If an immediate upgrade is not possible, consider restricting network access to the AgentScope service to only trusted sources as a temporary measure.

Security Insight

This vulnerability highlights the persistent risk in AI agent frameworks that dynamically execute code, a powerful but dangerous capability. Similar to past incidents in tools like LangChain, it underscores that security is often an afterthought in rapidly developed AI tooling. The lack of vendor response to early disclosure is concerning and shifts the entire burden of risk management onto the user community. For the latest on data exposures from such compromises, review recent breach reports.

Further Reading

• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs