CVE-2023-36188 — CRITICAL (CVSS 9.8) AI Security Vulnerability

CISO Take

Any application running LangChain ≤0.0.64 with PALChain exposed is fully compromised — no credentials needed, network-reachable, trivial to exploit. Patch to a fixed version immediately or disable PALChain entirely. If you can't patch now, add input validation to block code injection and restrict network access to the LangChain service.

Risk Assessment

Maximum exploitability: CVSS 9.8, zero authentication required, no user interaction, low complexity. PALChain passes user-controlled input directly to Python exec(), making this a textbook code injection. Exposure is high because LangChain was the dominant LLM framework at time of disclosure and PALChain was a commonly demonstrated feature. Any internet-facing service using LangChain PALChain is at critical risk of full host compromise.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langchain	pip	—	No patch
135.7K OpenSSF 6.5 2.6K dependents Pushed 7d ago 17% patched ~256d to patch Full package profile →

Do you use langchain? You're affected.

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

6.6%

chance of exploitation in 30 days

Higher than 91% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

Recommended Action

6 steps

Patch: Upgrade LangChain to a version after 0.0.64 where PALChain input handling is corrected (PR #6003).
Workaround: Disable or remove PALChain from your application if not strictly needed.
Network hardening: Place LangChain services behind authentication and restrict to internal networks — this vulnerability requires no auth but network segmentation limits reachability.
Least privilege: Run LangChain processes with minimal OS permissions; no root, no write access to sensitive paths.
Detection: Monitor for unusual process spawning from Python processes, unexpected outbound connections, and anomalous exec() calls in application logs.
Audit: Inventory all LangChain versions in use via SCA tooling (Dependabot, Snyk, pip audit).

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Data Extraction Framework Agent AML.T0010.001 - AI Software AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.5 - AI system input controls

NIST AI RMF

MANAGE 2.4 - Mechanisms for AI risk response

OWASP LLM Top 10

LLM02 - Insecure Output Handling LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2023-36188?

Any application running LangChain ≤0.0.64 with PALChain exposed is fully compromised — no credentials needed, network-reachable, trivial to exploit. Patch to a fixed version immediately or disable PALChain entirely. If you can't patch now, add input validation to block code injection and restrict network access to the LangChain service.

Is CVE-2023-36188 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-36188, increasing the risk of exploitation.

How to fix CVE-2023-36188?

1. Patch: Upgrade LangChain to a version after 0.0.64 where PALChain input handling is corrected (PR #6003). 2. Workaround: Disable or remove PALChain from your application if not strictly needed. 3. Network hardening: Place LangChain services behind authentication and restrict to internal networks — this vulnerability requires no auth but network segmentation limits reachability. 4. Least privilege: Run LangChain processes with minimal OS permissions; no root, no write access to sensitive paths. 5. Detection: Monitor for unusual process spawning from Python processes, unexpected outbound connections, and anomalous exec() calls in application logs. 6. Audit: Inventory all LangChain versions in use via SCA tooling (Dependabot, Snyk, pip audit).

What systems are affected by CVE-2023-36188?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM application backends, RAG pipelines, chatbot infrastructure, AI-powered internal tools.

What is the CVSS score for CVE-2023-36188?

CVE-2023-36188 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 6.59%.

Technical Details

NVD Description

An issue in langchain v.0.0.64 allows a remote attacker to execute arbitrary code via the PALChain parameter in the Python exec method.

Exploitation Scenario

An adversary identifies a public-facing chatbot or internal AI assistant built on LangChain 0.0.64 using PALChain to answer math or logic questions. They craft a PALChain query containing embedded Python that exfiltrates environment variables (including OPENAI_API_KEY, database credentials, AWS keys) to an attacker-controlled endpoint. The payload is sent as a normal HTTP POST — no special access required. Within seconds, the attacker has obtained cloud credentials and API keys, pivots to exfiltrate the vector database, and establishes a reverse shell for persistence. The entire operation requires no LangChain or AI knowledge — just awareness of the exec() injection point.