Two distinct AI agent frameworks published high-severity remote code execution vulnerabilities on April 15, 2026, and both share the same root cause: MCP server configuration fields that accept arbitrary shell commands without validation. CVE-2026-30617 affects LangChain-ChatChat 0.3.1. CVE-2026-30624 affects Agent Zero 0.9.8. Both carry a CVSS score of 8.6, both require no authentication, and both are exploitable over the network.

The Vulnerability Pattern

The architectural failure is identical in both cases. According to TheHackerWire’s analysis of CVE-2026-30617, LangChain-ChatChat exposes an MCP management interface that allows configuring an MCP STDIO server with arbitrary command-and-args values. Once an attacker configures a malicious server and agent activity triggers execution, the attacker achieves arbitrary command execution on the host.

Agent Zero 0.9.8 follows the same pattern. The CVE database entry for CVE-2026-30624 describes it directly: “The application allows users to define MCP servers using a JSON configuration containing arbitrary command and args values. These values are executed by the application when the configuration is applied without sufficient validation or restriction.”

In both cases, the MCP protocol itself is not the vulnerability. The failure is in how these frameworks handle MCP server configuration inputs, treating user-supplied command strings as trusted and executing them in the agent’s operational context.

No Authentication Required

The unauthenticated access vector is what makes both vulnerabilities critical for anyone running these frameworks in production. As TheHackerWire reports, any network-accessible deployment of either LangChain-ChatChat 0.3.1 or Agent Zero 0.9.8 is remotely exploitable without credentials. An attacker with network access to the exposed MCP management interface can configure a malicious server, wait for agent activity to trigger execution, and achieve arbitrary command execution under the privileges of the running service.

No public proof-of-concept exploits have been published for either CVE at time of writing. No patches are available yet for either framework, according to both TheHackerWire advisories.

MCP Configuration as an Attack Surface

These two CVEs are not isolated incidents. They follow a pattern that has been building across the AI agent ecosystem throughout April 2026. CVE-2026-33032 (“MCPwn”), a CVSS 9.8 authentication bypass in nginx-ui’s MCP endpoint, was disclosed on April 16. The Flowise CVSS 10.0 vulnerability (CVE-2025-59528), which targeted 12,000+ exposed instances via MCP CustomNode JavaScript injection, was published April 7-9. Three distinct frameworks, three distinct MCP-adjacent vulnerabilities, all within nine days.

The common thread is the MCP trust model. The protocol assumes that entities configuring MCP servers are trustworthy. When frameworks expose configuration interfaces to the network without authentication or input validation, that assumption becomes the attack surface.

Immediate Actions for Builders

For teams running LangChain-ChatChat 0.3.1 or Agent Zero 0.9.8: restrict network access to MCP management interfaces immediately. Bind development deployments to localhost only. Monitor official channels for patches.

The broader lesson applies to any agent framework that accepts user-supplied values in fields that influence command execution. Validate MCP server configuration inputs. Sandbox command execution. Default to deny on network-exposed management interfaces. The MCP ecosystem is growing faster than its security practices, and attackers are auditing the gap.