CVE-2026-30617
Published: 15 April 2026
Summary
CVE-2026-30617 is a high-severity Command Injection (CWE-77) vulnerability in Ox (inferred from references). Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as NLP and Transformers; in the Protocol-Specific Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 CM-5 (Access Restrictions for Change) and SC-14 (Public Access Protections).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Protects the publicly exposed MCP management interface with authentication, restrictions, or other controls to block remote unauthenticated access and configuration by attackers.
Validates inputs to the MCP STDIO server configuration and execution handling to prevent injection of attacker-controlled malicious commands and arguments leading to RCE.
Restricts access to configuration change processes for the MCP STDIO server, preventing unauthorized remote modifications that enable arbitrary command execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote code execution in a publicly exposed MCP management interface, allowing unauthenticated attackers to configure and trigger arbitrary command execution, directly enabling T1190: Exploit Public-Facing Application.
NVD Description
LangChain-ChatChat 0.3.1 contains a remote code execution vulnerability in its MCP STDIO server configuration and execution handling. A remote attacker can access the publicly exposed MCP management interface and configure an MCP STDIO server with attacker-controlled commands and arguments. When…
more
the MCP server is started and MCP is enabled for agent execution, subsequent agent activity triggers execution of arbitrary commands on the server. Successful exploitation allows arbitrary command execution within the context of the LangChain-ChatChat service.
Deeper analysisAI
CVE-2026-30617 is a remote code execution vulnerability (CWE-77) in LangChain-ChatChat version 0.3.1. The flaw exists in the MCP STDIO server configuration and execution handling components. A remote attacker can access the publicly exposed MCP management interface to configure an MCP STDIO server using attacker-controlled commands and arguments. Published on 2026-04-15, the vulnerability carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H).
Any remote attacker without authentication can exploit this vulnerability over the network with low complexity. By configuring the MCP STDIO server via the exposed management interface, the attacker sets up malicious commands. When the server starts and MCP is enabled for agent execution, subsequent agent activity triggers execution of those arbitrary commands on the host, achieving full command execution in the context of the LangChain-ChatChat service.
The primary advisory is available at https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/, which covers this issue as part of broader MCP supply chain RCE vulnerabilities in the AI ecosystem.
This vulnerability highlights risks in AI agent frameworks like LangChain-ChatChat, where MCP interfaces enable agent-driven execution in AI/ML workflows.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- NLP and Transformers
- Risk Domain
- Protocol-Specific Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: langchain, mcp, mcp, mcp, mcp, mcp, langchain