HIGH
langchain-ai
CVE published 2026-05-26
CVE-2026-44843
LangChain versions prior to 0.3.85 and 1.3.3 contain overly permissive deserialization paths that allow instantiation of trusted LangChain-serializable classes with attacker-controlled constructor arguments. The vulnerability stems from runtime code paths that deserialize run inputs, run outputs, or application-controlled payloads using broad object allowlists, including configurations where `allowed_obje [truncated]