PatchSiren

langchain-ai CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM langchain-ai CVE published 2026-07-06

CVE-2026-59152

The LangSmith Client SDKs provide software development kits for interacting with the LangSmith platform. Prior to version 0.8.18, an attacker who can send an HTTP request to a server running the LangSmith SDK's TracingMiddleware can cause that server to read an arbitrary file from its local filesystem and upload the contents to LangSmith as a trace attachment. Depending on how the distributed trace system [truncated]

MEDIUM langchain-ai CVE published 2026-06-22

CVE-2026-55443

CVE-2026-55443 is a medium-severity vulnerability in LangChain, a framework for building agents and LLM-powered applications. The vulnerability allows for path traversal attacks, potentially leading to disclosure of files outside the intended boundary. The issue was fixed in version 1.3.9. LangChain components that resolve filesystem paths or expand search patterns did not consistently confine the resolve [truncated]

MEDIUM langchain-ai CVE published 2026-06-17

CVE-2026-48776

The LangGraph Python SDK, used to connect to LangGraph API servers and manage assistants, threads, and stream runs, has a vulnerability in versions 0.3.14 and prior. The issue arises from unsafe URL path construction through unsanitized caller-supplied identifier values used in HTTP request paths for resource operations. This could lead to unintended access, modification, or deletion of resources beyond t [truncated]

MEDIUM langchain-ai CVE published 2026-06-16

CVE-2026-48775

CVE-2026-48775 is a defense-in-depth issue in LangGraph SQLite Checkpoint's JsonPlusSerializer. In versions 4.1.0 and prior, the JsonPlusSerializer can reconstruct Python objects from JSON checkpoint payloads. Under conditions where someone could modify checkpoint bytes at rest in the backing store, the deserialization path could reconstruct objects beyond what the application expects, which could in turn [truncated]

HIGH langchain-ai CVE published 2026-05-27

CVE-2026-45134

LangSmith Client SDKs prior to Python 0.8.0 and JS/TS 0.6.0 fail to distinguish between prompts owned by the caller's organization and public prompts owned by external parties when using prompt pull methods (pull_prompt/pull_prompt_commit in Python; pullPrompt/pullPromptCommit in JS/TS). These methods fetch and deserialize prompt manifests from the LangSmith Hub, which may contain serialized LangChain obj [truncated]

HIGH langchain-ai CVE published 2026-05-26

CVE-2026-44843

LangChain versions prior to 0.3.85 and 1.3.3 contain overly permissive deserialization paths that allow instantiation of trusted LangChain-serializable classes with attacker-controlled constructor arguments. The vulnerability stems from runtime code paths that deserialize run inputs, run outputs, or application-controlled payloads using broad object allowlists, including configurations where `allowed_obje [truncated]

MEDIUM langchain-ai CVE published 2026-04-24

CVE-2026-41481

CVE-2026-41481 is a Server-Side Request Forgery (SSRF) vulnerability in LangChain Text Splitters prior to version 1.1.2. The vulnerability arises from the `HTMLHeaderTextSplitter.split_text_from_url()` function, which validates the initial URL but then performs the fetch with redirects enabled. This allows an attacker-controlled server to redirect to internal, localhost, or cloud metadata endpoints, poten [truncated]

MEDIUM langchain-ai CVE published 2026-04-23

CVE-2026-41182

LangSmith Client SDKs for JavaScript (prior to 0.5.19) and Python (prior to 0.7.31) fail to apply output redaction controls to streaming token events. The hideOutputs (JS) and hide_outputs (Python) settings only process inputs and outputs fields on a run object, not the events array where streaming chunks are recorded as new_token events. This causes sensitive LLM output to leak via run events even when r [truncated]

MEDIUM langchain-ai CVE published 2026-04-10

CVE-2026-40190

## Summary CVE-2026-40190 is a prototype pollution vulnerability in the LangSmith JavaScript/TypeScript SDK (langsmith) prior to version 0.5.18. The SDK's internally vendored lodash `set()` utility contains an incomplete fix in its `baseAssignValue()` function, which only blocks the `__proto__` key but fails to prevent traversal via `constructor.prototype`. An attacker who controls keys in data processed [truncated]

HIGH langchain-ai CVE published 2026-03-31

CVE-2026-34070

LangChain Core versions prior to 1.2.22 contain a path traversal vulnerability in prompt loading functions. Multiple functions in `langchain_core.prompts.loading` read files from paths embedded in deserialized configuration dictionaries without validating against directory traversal sequences or absolute path injection. When an application passes user-influenced prompt configurations to `load_prompt()` or [truncated]