PatchSiren cyber security CVE debrief
CVE-2026-44843 langchain-ai CVE debrief
LangChain versions prior to 0.3.85 and 1.3.3 contain overly permissive deserialization paths that allow instantiation of trusted LangChain-serializable classes with attacker-controlled constructor arguments. The vulnerability stems from runtime code paths that deserialize run inputs, run outputs, or application-controlled payloads using broad object allowlists, including configurations where `allowed_objects` is set to `all`. While this does not permit arbitrary Python object deserialization, it enables attackers to supply malicious serialized constructor dictionaries that trusted runtime paths will instantiate, potentially leading to code execution or other security impacts. The CVSS 3.1 score of 8.2 (HIGH) reflects network attack vector, low attack complexity, no required privileges, and no user interaction, with high confidentiality impact and low integrity impact. The vulnerability is classified under CWE-502 (Deserialization of Untrusted Data). Fixes are available in LangChain versions 0.3.85 and 1.3.3.
- Vendor
- langchain-ai
- Product
- langchain
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-26
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-26
- Advisory updated
- 2026-05-26
Who should care
Organizations running LangChain-based applications, particularly those processing untrusted or externally-supplied serialized data. Development teams using LangChain for LLM-powered agents and applications. Security teams responsible for supply chain and dependency management in Python environments.
Technical summary
The vulnerability exists in LangChain's deserialization logic where runtime paths handling run inputs, run outputs, and application-controlled payloads use overly permissive object allowlists. When `load()` is called with `allowed_objects` set to `all`, or with similarly broad configurations, the deserializer permits instantiation of any LangChain-serializable class. An attacker can craft malicious serialized constructor dictionaries that, when processed by these trusted runtime paths, result in instantiation of classes with attacker-controlled arguments. This trusted class instantiation primitive can be chained to achieve code execution or other security impacts. The fix in versions 0.3.85 and 1.3.3 restricts these deserialization paths to more narrowly defined object allowlists appropriate for their specific runtime contexts.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade LangChain to version 0.3.85 or 1.3.3 or later to remediate this vulnerability
- Review application code for any custom deserialization paths that may use `allowed_objects` configurations
- Audit serialized data inputs to LangChain runtime paths for unexpected or malicious constructor dictionaries
- Implement input validation and sanitization for any externally-supplied serialized data processed by LangChain
- Monitor for anomalous instantiation patterns or unexpected object creation in LangChain-dependent applications
Evidence notes
CVE description confirms affected versions prior to 0.3.85 and 1.3.3, with fixes in those versions. CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N sourced from NVD. CWE-502 classification from GitHub Security Advisory. No KEV listing present.
Official resources
-
CVE-2026-44843 CVE record
CVE.org
-
CVE-2026-44843 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-26