al-ice.ai

LangChain-ChatChat — RCE via MCP STDIO Server Configuration (CVE-2026-30617)

Security / AI CVEs by al-ice.ai Editorial

LangChain-ChatChat — RCE via MCP STDIO Server Configuration (CVE-2026-30617)

AI relevance: LangChain-ChatChat 0.3.1 exposes its MCP management interface to the network without authentication, allowing any remote attacker to configure an MCP STDIO server with arbitrary commands — which execute when the agent next runs a tool call.

  • CVE-2026-30617 (CVSS 8.6, published April 15, 2026) is a remote code execution vulnerability in LangChain-ChatChat version 0.3.1
  • The application's MCP management interface is network-accessible and allows configuration of MCP STDIO servers with user-supplied commands and arguments
  • No authentication is required to access the MCP configuration interface (CVSS PR:N — No Privileges Required)
  • Attack flow: configure malicious MCP STDIO server → trigger agent activity → attacker-controlled commands execute on the underlying system
  • Commands run under the privileges of the LangChain-ChatChat service process
  • The vulnerability is a command injection scenario where attacker-controlled strings are passed directly to a command execution context
  • No public proof-of-concept is available at time of writing, but the attack flow is clearly described in the CVE advisory
  • No patch details have been published — organizations should apply network-level restrictions to the MCP management interface as interim mitigation

Why It Matters

This is another example of MCP management interfaces being exposed without proper access controls. LangChain-ChatChat is a popular open-source RAG-based chat application built on LangChain — deployments are likely internet-facing in research, enterprise, and demo environments. The vulnerability pattern is consistent with what we've seen in nginx-ui (CVE-2026-33032) and aws-mcp-server (CVE-2026-5058): MCP configuration and execution surfaces are treated as internal tooling, but when exposed to networks, they become trivial RCE vectors. The fact that commands execute when the agent performs any tool call makes this a deferred execution attack — the damage triggers on the next legitimate agent activity.

What To Do

  • Restrict network access — firewall the LangChain-ChatChat MCP management interface; do not expose it to untrusted networks
  • Audit MCP server configurations — review existing STDIO server configs for unauthorized commands or arguments
  • Monitor process activity — watch for unexpected command execution from the LangChain-ChatChat service user
  • Check for patches — monitor the LangChain-ChatChat repository for an official fix; no patch is available at time of writing
  • Consider disabling MCP in LangChain-ChatChat if the feature is not actively used — remove the attack surface entirely

Sources: