PatchSiren cyber security CVE debrief
CVE-2026-55405 langchain4j CVE debrief
LangChain4j, a Java library for building LLM-powered applications, had a vulnerability prior to versions 1.2.1-beta8, 1.5.1-beta11, 1.11.8-beta19, and 1.16.3-beta26. The issue allowed SQL injection attacks through crafted metadata keys in EmbeddingSearchRequest.filter(), enabling data exfiltration, denial of service, and row deletion. This vulnerability was particularly concerning for applications utilizing MariaDB and pgvector embedding stores. Developers and security teams should be aware of the potential risks and take immediate action to mitigate the vulnerability.
- Vendor
- langchain4j
- Product
- Unknown
- CVSS
- HIGH 7.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Developers using LangChain4j, especially those building applications with MariaDB and pgvector embedding stores, should update to patched versions to prevent SQL injection attacks. Security teams and vulnerability management teams should also be aware of the potential risks and take immediate action to mitigate the vulnerability. Additionally, operators and platform administrators should review the affected scope and severity of the vulnerability and take necessary actions to ensure the security of their applications.
Technical summary
The vulnerability in LangChain4j's MariaDB and pgvector embedding stores resulted from string-concatenating filter keys and string values directly into SQL queries without adequate escaping. This allowed attackers to inject arbitrary SQL, leading to potential data breaches, service disruptions, and data manipulation. The vulnerability was addressed in langchain4j-mariadb and langchain4j-pgvector versions 1.2.1-beta8, 1.5.1-beta11, 1.11.8-beta19, and 1.16.3-beta26. It is essential for developers to update to these versions or later to prevent SQL injection attacks.
Defensive priority
High priority should be given to updating LangChain4j to the latest versions, reviewing and sanitizing user-input metadata keys, and implementing additional security measures to detect and prevent SQL injection attempts.
Recommended defensive actions
- Update LangChain4j to version 1.2.1-beta8, 1.5.1-beta11, 1.11.8-beta19, or 1.16.3-beta26, or later
- Review and sanitize user-input metadata keys to prevent SQL injection
- Implement additional security measures to detect and prevent SQL injection attempts
- Monitor applications built with LangChain4j for suspicious activity
- Perform a thorough review of the application's codebase to identify potential vulnerabilities
- Conduct regular security audits and penetration testing to ensure the application's security posture
- Consider implementing a web application firewall (WAF) to detect and prevent SQL injection attacks
Evidence notes
The CVE record was published on 2026-07-10T21:16:55.977Z and has not been modified since then. The NVD entry is currently 7.6 HIGH. Limited information is available about the vulnerability's impact and exploitation. However, it is known that the vulnerability was addressed in langchain4j-mariadb and langchain4j-pgvector versions 1.2.1-beta8, 1.5.1-beta11, 1.11.8-beta19, and 1.16.3-beta26. Developers and security teams should verify the affected scope and severity of the vulnerability and take immediate action to mitigate the risks.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T21:16:55.977Z and has not been modified since then.