PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-55405 langchain4j CVE debrief

LangChain4j, a Java library for building LLM-powered applications, had a vulnerability prior to versions 1.2.1-beta8, 1.5.1-beta11, 1.11.8-beta19, and 1.16.3-beta26. The issue allowed SQL injection attacks through crafted metadata keys in EmbeddingSearchRequest.filter(), enabling data exfiltration, denial of service, and row deletion. This vulnerability was particularly concerning for applications utilizing MariaDB and pgvector embedding stores. Developers and security teams should be aware of the potential risks and take immediate action to mitigate the vulnerability.

Vendor
langchain4j
Product
Unknown
CVSS
HIGH 7.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Developers using LangChain4j, especially those building applications with MariaDB and pgvector embedding stores, should update to patched versions to prevent SQL injection attacks. Security teams and vulnerability management teams should also be aware of the potential risks and take immediate action to mitigate the vulnerability. Additionally, operators and platform administrators should review the affected scope and severity of the vulnerability and take necessary actions to ensure the security of their applications.

Technical summary

The vulnerability in LangChain4j's MariaDB and pgvector embedding stores resulted from string-concatenating filter keys and string values directly into SQL queries without adequate escaping. This allowed attackers to inject arbitrary SQL, leading to potential data breaches, service disruptions, and data manipulation. The vulnerability was addressed in langchain4j-mariadb and langchain4j-pgvector versions 1.2.1-beta8, 1.5.1-beta11, 1.11.8-beta19, and 1.16.3-beta26. It is essential for developers to update to these versions or later to prevent SQL injection attacks.

Defensive priority

High priority should be given to updating LangChain4j to the latest versions, reviewing and sanitizing user-input metadata keys, and implementing additional security measures to detect and prevent SQL injection attempts.

Recommended defensive actions

  • Update LangChain4j to version 1.2.1-beta8, 1.5.1-beta11, 1.11.8-beta19, or 1.16.3-beta26, or later
  • Review and sanitize user-input metadata keys to prevent SQL injection
  • Implement additional security measures to detect and prevent SQL injection attempts
  • Monitor applications built with LangChain4j for suspicious activity
  • Perform a thorough review of the application's codebase to identify potential vulnerabilities
  • Conduct regular security audits and penetration testing to ensure the application's security posture
  • Consider implementing a web application firewall (WAF) to detect and prevent SQL injection attacks

Evidence notes

The CVE record was published on 2026-07-10T21:16:55.977Z and has not been modified since then. The NVD entry is currently 7.6 HIGH. Limited information is available about the vulnerability's impact and exploitation. However, it is known that the vulnerability was addressed in langchain4j-mariadb and langchain4j-pgvector versions 1.2.1-beta8, 1.5.1-beta11, 1.11.8-beta19, and 1.16.3-beta26. Developers and security teams should verify the affected scope and severity of the vulnerability and take immediate action to mitigate the risks.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T21:16:55.977Z and has not been modified since then.