CVE-2026-30617

High

Published: 15 April 2026

Published

15 April 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

EPSS Score 0.0019 40.5th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

LangChain-ChatChat 0.3.1 contains a remote code execution vulnerability in its MCP STDIO server configuration and execution handling. A remote attacker can access the publicly exposed MCP management interface and configure an MCP STDIO server with attacker-controlled commands and arguments. When…

the MCP server is started and MCP is enabled for agent execution, subsequent agent activity triggers execution of arbitrary commands on the server. Successful exploitation allows arbitrary command execution within the context of the LangChain-ChatChat service.

Mitigating Controls (NIST 800-53 r5)AI

SC-14 Public Access Protections good match

prevent

Protects the publicly exposed MCP management interface with authentication, restrictions, or other controls to block remote unauthenticated access and configuration by attackers.

SI-10 Information Input Validation good match

prevent

Validates inputs to the MCP STDIO server configuration and execution handling to prevent injection of attacker-controlled malicious commands and arguments leading to RCE.

CM-5 Access Restrictions for Change good match

prevent

Restricts access to configuration change processes for the MCP STDIO server, preventing unauthorized remote modifications that enable arbitrary command execution.

Security SummaryAI

CVE-2026-30617 is a remote code execution vulnerability (CWE-77) in LangChain-ChatChat version 0.3.1. The flaw exists in the MCP STDIO server configuration and execution handling components. A remote attacker can access the publicly exposed MCP management interface to configure an MCP STDIO server using attacker-controlled commands and arguments. Published on 2026-04-15, the vulnerability carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H).

Any remote attacker without authentication can exploit this vulnerability over the network with low complexity. By configuring the MCP STDIO server via the exposed management interface, the attacker sets up malicious commands. When the server starts and MCP is enabled for agent execution, subsequent agent activity triggers execution of those arbitrary commands on the host, achieving full command execution in the context of the LangChain-ChatChat service.

The primary advisory is available at https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/, which covers this issue as part of broader MCP supply chain RCE vulnerabilities in the AI ecosystem.

This vulnerability highlights risks in AI agent frameworks like LangChain-ChatChat, where MCP interfaces enable agent-driven execution in AI/ML workflows.

Details

CWE(s): CWE-77

AI Security AnalysisAI

AI Category: NLP and Transformers
Risk Domain: Protocol-Specific Risks
OWASP Top 10 for LLMs 2025: None mapped
MITRE ATLAS Techniques: None mapped
Classification Reason: Matched keywords: langchain, mcp, mcp, mcp, mcp, mcp, langchain

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is a remote code execution in a publicly exposed MCP management interface, allowing unauthenticated attackers to configure and trigger arbitrary command execution, directly enabling T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/
cve@mitre.org