CVE-2026-30617 - Vulnerability Details

- Remote Code Execution via MCP STDIO Server Configuration in LangChain-ChatChat 0.3.1

Description

LangChain-ChatChat 0.3.1 contains a remote code execution vulnerability in its MCP STDIO server configuration and execution handling. A remote attacker can access the publicly exposed MCP management interface and configure an MCP STDIO server with attacker-controlled commands and arguments. When the MCP server is started and MCP is enabled for agent execution, subsequent agent activity triggers execution of arbitrary commands on the server. Successful exploitation allows arbitrary command execution within the context of the LangChain-ChatChat service.

Published: 2026-04-15

Score: 8.6 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

LangChain-ChatChat 0.3.1 contains a remote code execution flaw that allows an attacker to configure the MCP STDIO server with arbitrary commands through a publicly exposed management interface. Once the server is started and agent execution is enabled, the configured commands are executed during subsequent agent activity, giving the attacker unrestricted execution inside the LangChain-ChatChat service. The vulnerability stems from a lack of proper validation of command inputs, enabling arbitrary command injection. The likely attack vector is a network-based request to the MCP management interface exposed to the internet.

Affected Systems

The affected product is LangChain-ChatChat version 0.3.1. No other vendors or product variants are listed; the vulnerability is tied to the specific MCP STDIO server component of this version.

Risk and Exploitability

Because the attack does not require local privilege and only needs access to the management interface, it poses a high‑severity risk. The CVSS score is 8.6, and EPSS is not available, so exploitation probability is unknown, but the nature of remote code execution means a successful exploit would give attackers full control over the service. The vulnerability is not currently listed in CISA’s KEV catalog, yet its potential impact warrants close monitoring.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

Vendor Product Confidence Versions

Langchain

100%

Version	Status	Scheme	Platform
`0.3.1`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Block or proxy the MCP management interface so that only authorized, internal hosts can reach it.
Disable or remove the MCP STDIO server configuration that accepts external command inputs, or configure it to use a safe default that does not execute arbitrary commands.
Update LangChain-ChatChat to a patched version when released, or apply any vendor‑supplied workaround; if no patch is available, consider disabling remote agent execution until a fix is provided.

Generated by OpenCVE AI on April 15, 2026 at 22:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00144.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/

History

Wed, 15 Apr 2026 22:45:00 +0000

Type	Values Removed	Values Added
Title		Remote Code Execution via MCP STDIO Server Configuration in LangChain-ChatChat 0.3.1

Wed, 15 Apr 2026 21:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Langchain Langchain langchain
Vendors & Products		Langchain Langchain langchain

Wed, 15 Apr 2026 18:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-77
Metrics		cvssV3_1 `{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 15 Apr 2026 15:30:00 +0000

Type	Values Removed	Values Added
Description		LangChain-ChatChat 0.3.1 contains a remote code execution vulnerability in its MCP STDIO server configuration and execution handling. A remote attacker can access the publicly exposed MCP management interface and configure an MCP STDIO server with attacker-controlled commands and arguments. When the MCP server is started and MCP is enabled for agent execution, subsequent agent activity triggers execution of arbitrary commands on the server. Successful exploitation allows arbitrary command execution within the context of the LangChain-ChatChat service.
References		https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/

Subscriptions

Langchain Langchain

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-04-15T00:00:00.000Z

Updated: 2026-04-15T18:00:20.495Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30617

Vulnrichment

Updated: 2026-04-15T18:00:14.930Z

NVD

Status : Awaiting Analysis

Published: 2026-04-15T16:16:36.453

Modified: 2026-04-17T15:09:46.880

Link: CVE-2026-30617

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T22:30:16Z

Weaknesses

CWE-77

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object