PatchSiren cyber security CVE debrief

CVE-2026-34070 langchain-ai CVE debrief

LangChain Core versions prior to 1.2.22 contain a path traversal vulnerability in prompt loading functions. Multiple functions in `langchain_core.prompts.loading` read files from paths embedded in deserialized configuration dictionaries without validating against directory traversal sequences or absolute path injection. When an application passes user-influenced prompt configurations to `load_prompt()` or `load_prompt_from_config()`, an attacker can read arbitrary files on the host filesystem. File-extension checks exist but are insufficient: `.txt` for templates and `.json`/`.yaml` for examples do not prevent traversal outside intended directories. The vulnerability was published on 2026-03-31 and last modified on 2026-06-01. It is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) with a CVSS 3.1 score of 7.5 (HIGH severity). The issue has been patched in langchain-core version 1.2.22. No known exploitation in ransomware campaigns has been documented.

Vendor: langchain-ai
Product: langchain
CVSS: HIGH 7.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-03-31
Original CVE updated: 2026-06-01
Advisory published: 2026-03-31
Advisory updated: 2026-06-01

Who should care

Organizations running LangChain Core versions below 1.2.22 that accept user-influenced prompt configurations, particularly multi-tenant applications, SaaS platforms using LangChain, and systems processing untrusted prompt templates.

Technical summary

The vulnerability exists in `langchain_core.prompts.loading` where `load_prompt()` and `load_prompt_from_config()` deserialize configuration dictionaries containing file paths. These paths are used to read template files (.txt) and example files (.json/.yaml) without sufficient validation. An attacker can embed directory traversal sequences or absolute paths in the configuration to read arbitrary files from the host filesystem. The attack requires network access but no authentication, resulting in high confidentiality impact with no integrity or availability impact.

Defensive priority

HIGH

Recommended defensive actions

Upgrade langchain-core to version 1.2.22 or later.
Validate and sanitize all user-influenced prompt configuration inputs before passing to load_prompt() or load_prompt_from_config().
Restrict file system permissions so the application process cannot access sensitive files outside intended prompt directories.
Implement additional path validation to reject directory traversal sequences (e.g., ../) and absolute paths in configuration file references.
Audit existing prompt configurations for unexpected file path references.

Evidence notes

Vulnerability confirmed through vendor security advisory and patch commit. Affected CPE: cpe:2.3:a:langchain:langchain_core:*:*:*:*:*:python:*:*, versions prior to 1.2.22. CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.

Official resources

CVE-2026-34070 CVE record
CVE.org
CVE-2026-34070 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch
Mitigation or vendor reference
[email protected] - Release Notes
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory

2026-03-31T03:15:58.947Z