Cyber Resilience

CVE-2026-30617

HighRCE

Published: 15 April 2026

Published
15 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
EPSS Score 0.0047 37.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-30617 is a high-severity Command Injection (CWE-77) vulnerability in Ox (inferred from references). Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 CM-5 (Access Restrictions for Change) and SC-14 (Public Access Protections).

Deeper analysis

CVE-2026-30617 is a remote code execution vulnerability (CWE-77) in LangChain-ChatChat version 0.3.1. The flaw exists in the MCP STDIO server configuration and execution handling components. A remote attacker can access the publicly exposed MCP management interface to configure an MCP STDIO server using attacker-controlled commands and arguments. Published on 2026-04-15, the vulnerability carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H).

Any remote attacker without authentication can exploit this vulnerability over the network with low complexity. By configuring the MCP STDIO server via the exposed management interface, the attacker sets up malicious commands. When the server starts and MCP is enabled for agent execution, subsequent agent activity triggers execution of those arbitrary commands on the host, achieving full command execution in the context of the LangChain-ChatChat service.

The primary advisory is available at https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/, which covers this issue as part of broader MCP supply chain RCE vulnerabilities in the AI ecosystem.

This vulnerability highlights risks in AI agent frameworks like LangChain-ChatChat, where MCP interfaces enable agent-driven execution in AI/ML workflows.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

LangChain-ChatChat 0.3.1 contains a remote code execution vulnerability in its MCP STDIO server configuration and execution handling. A remote attacker can access the publicly exposed MCP management interface and configure an MCP STDIO server with attacker-controlled commands and arguments. When…

more

the MCP server is started and MCP is enabled for agent execution, subsequent agent activity triggers execution of arbitrary commands on the server. Successful exploitation allows arbitrary command execution within the context of the LangChain-ChatChat service.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Protocol-Specific Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: langchain, mcp

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a remote code execution in a publicly exposed MCP management interface, allowing unauthenticated attackers to configure and trigger arbitrary command execution, directly enabling T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-34166Shared CWE-77
CVE-2026-26093Shared CWE-77
CVE-2025-56425Shared CWE-77
CVE-2026-30616Shared CWE-77
CVE-2024-55062Shared CWE-77
CVE-2024-54660Shared CWE-77
CVE-2026-30310Shared CWE-77
CVE-2026-30625Shared CWE-77
CVE-2025-61489Shared CWE-77
CVE-2024-8156Shared CWE-77

Affected Assets

Ox
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Protects the publicly exposed MCP management interface with authentication, restrictions, or other controls to block remote unauthenticated access and configuration by attackers.

prevent

Validates inputs to the MCP STDIO server configuration and execution handling to prevent injection of attacker-controlled malicious commands and arguments leading to RCE.

prevent

Restricts access to configuration change processes for the MCP STDIO server, preventing unauthorized remote modifications that enable arbitrary command execution.

References