CVE-2026-30617
Published: 15 April 2026
Summary
CVE-2026-30617 is a high-severity Command Injection (CWE-77) vulnerability in Ox (inferred from references). Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 CM-5 (Access Restrictions for Change) and SC-14 (Public Access Protections).
Deeper analysis
CVE-2026-30617 is a remote code execution vulnerability (CWE-77) in LangChain-ChatChat version 0.3.1. The flaw exists in the MCP STDIO server configuration and execution handling components. A remote attacker can access the publicly exposed MCP management interface to configure an MCP STDIO server using attacker-controlled commands and arguments. Published on 2026-04-15, the vulnerability carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H).
Any remote attacker without authentication can exploit this vulnerability over the network with low complexity. By configuring the MCP STDIO server via the exposed management interface, the attacker sets up malicious commands. When the server starts and MCP is enabled for agent execution, subsequent agent activity triggers execution of those arbitrary commands on the host, achieving full command execution in the context of the LangChain-ChatChat service.
The primary advisory is available at https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/, which covers this issue as part of broader MCP supply chain RCE vulnerabilities in the AI ecosystem.
This vulnerability highlights risks in AI agent frameworks like LangChain-ChatChat, where MCP interfaces enable agent-driven execution in AI/ML workflows.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-22941
Vulnerability details
LangChain-ChatChat 0.3.1 contains a remote code execution vulnerability in its MCP STDIO server configuration and execution handling. A remote attacker can access the publicly exposed MCP management interface and configure an MCP STDIO server with attacker-controlled commands and arguments. When…
more
the MCP server is started and MCP is enabled for agent execution, subsequent agent activity triggers execution of arbitrary commands on the server. Successful exploitation allows arbitrary command execution within the context of the LangChain-ChatChat service.
- CWE(s)
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Protocol-Specific Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: langchain, mcp
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote code execution in a publicly exposed MCP management interface, allowing unauthenticated attackers to configure and trigger arbitrary command execution, directly enabling T1190: Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Protects the publicly exposed MCP management interface with authentication, restrictions, or other controls to block remote unauthenticated access and configuration by attackers.
Validates inputs to the MCP STDIO server configuration and execution handling to prevent injection of attacker-controlled malicious commands and arguments leading to RCE.
Restricts access to configuration change processes for the MCP STDIO server, preventing unauthorized remote modifications that enable arbitrary command execution.