AI Threat Alert

CVE-2023-36188: LangChain: RCE via PALChain unsanitized Python exec

CRITICAL PoC AVAILABLE CISA: ATTEND
Published July 6, 2023
CISO Take

Any application running LangChain ≤0.0.64 with PALChain exposed is fully compromised — no credentials needed, network-reachable, trivial to exploit. Patch to a fixed version immediately or disable PALChain entirely. If you can't patch now, add input validation to block code injection and restrict network access to the LangChain service.

What is the risk?

Maximum exploitability: CVSS 9.8, zero authentication required, no user interaction, low complexity. PALChain passes user-controlled input directly to Python exec(), making this a textbook code injection. Exposure is high because LangChain was the dominant LLM framework at time of disclosure and PALChain was a commonly demonstrated feature. Any internet-facing service using LangChain PALChain is at critical risk of full host compromise.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
LangChain pip No patch
139.8K OpenSSF 5.9 2.7K dependents Pushed 2d ago 24% patched ~156d to patch Full package profile →

Do you use LangChain? You're affected.

How severe is it?

CVSS 3.1
9.8 / 10
EPSS
1.6%
chance of exploitation in 30 days
Higher than 72% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

What should I do?

6 steps

  1. Patch: Upgrade LangChain to a version after 0.0.64 where PALChain input handling is corrected (PR #6003).

  2. Workaround: Disable or remove PALChain from your application if not strictly needed.

  3. Network hardening: Place LangChain services behind authentication and restrict to internal networks — this vulnerability requires no auth but network segmentation limits reachability.

  4. Least privilege: Run LangChain processes with minimal OS permissions; no root, no write access to sensitive paths.

  5. Detection: Monitor for unusual process spawning from Python processes, unexpected outbound connections, and anomalous exec() calls in application logs.

  6. Audit: Inventory all LangChain versions in use via SCA tooling (Dependabot, Snyk, pip audit).

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Data Extraction Framework Agent AML.T0010.001 AML.T0049 AML.T0050 AML.T0053

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.5 - AI system input controls
NIST AI RMF
MANAGE 2.4 - Mechanisms for AI risk response
OWASP LLM Top 10
LLM02 - Insecure Output Handling LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2023-36188?

Any application running LangChain ≤0.0.64 with PALChain exposed is fully compromised — no credentials needed, network-reachable, trivial to exploit. Patch to a fixed version immediately or disable PALChain entirely. If you can't patch now, add input validation to block code injection and restrict network access to the LangChain service.

Is CVE-2023-36188 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-36188, increasing the risk of exploitation.

How to fix CVE-2023-36188?

1. Patch: Upgrade LangChain to a version after 0.0.64 where PALChain input handling is corrected (PR #6003). 2. Workaround: Disable or remove PALChain from your application if not strictly needed. 3. Network hardening: Place LangChain services behind authentication and restrict to internal networks — this vulnerability requires no auth but network segmentation limits reachability. 4. Least privilege: Run LangChain processes with minimal OS permissions; no root, no write access to sensitive paths. 5. Detection: Monitor for unusual process spawning from Python processes, unexpected outbound connections, and anomalous exec() calls in application logs. 6. Audit: Inventory all LangChain versions in use via SCA tooling (Dependabot, Snyk, pip audit).

What systems are affected by CVE-2023-36188?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM application backends, RAG pipelines, chatbot infrastructure, AI-powered internal tools.

What is the CVSS score for CVE-2023-36188?

CVE-2023-36188 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 1.57%.

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM application backendsRAG pipelineschatbot infrastructureAI-powered internal tools

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter
AML.T0053 AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.5
NIST AI RMF: MANAGE 2.4
OWASP LLM Top 10: LLM02, LLM08

What are the technical details?

Original Advisory

An issue in langchain v.0.0.64 allows a remote attacker to execute arbitrary code via the PALChain parameter in the Python exec method.

Exploitation Scenario

An adversary identifies a public-facing chatbot or internal AI assistant built on LangChain 0.0.64 using PALChain to answer math or logic questions. They craft a PALChain query containing embedded Python that exfiltrates environment variables (including OPENAI_API_KEY, database credentials, AWS keys) to an attacker-controlled endpoint. The payload is sent as a normal HTTP POST — no special access required. Within seconds, the attacker has obtained cloud credentials and API keys, pivots to exfiltrate the vector database, and establishes a reverse shell for persistence. The entire operation requires no LangChain or AI knowledge — just awareness of the exec() injection point.

Weaknesses (CWE)

CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Primary

CWE-74 — Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'): The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

  • [Requirements] Programming languages and supporting technologies might be chosen which are not subject to these issues.
  • [Implementation] Utilize an appropriate mix of allowlist and denylist parsing to filter control-plane syntax from all input.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
July 6, 2023
Last Modified
November 21, 2024
First Seen
July 6, 2023

Related Vulnerabilities

CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same package: langchain
CRITICAL CVE-2023-34541 9.8

LangChain: RCE via unsafe load_prompt deserialization

Same package: langchain
CRITICAL CVE-2023-29374 9.8

LangChain: RCE via prompt injection in LLMMathChain

Same package: langchain
CRITICAL CVE-2023-34540 9.8

LangChain: RCE via JiraAPIWrapper crafted input

Same package: langchain
CRITICAL CVE-2023-36258 9.8

LangChain: unauthenticated RCE via code injection

Same package: langchain
Back to Threat Feed