{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34070", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-25T16:21:40.867Z", "datePublished": "2026-03-31T02:01:49.320Z", "dateUpdated": "2026-03-31T18:04:59.283Z"}, "containers": {"cna": {"title": "LangChain Core has Path Traversal vulnerabilites in legacy `load_prompt` functions", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-qh6h-p6c9-ff54", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-qh6h-p6c9-ff54"}, {"name": "https://github.com/langchain-ai/langchain/commit/27add913474e01e33bededf4096151130ba0d47c", "tags": ["x_refsource_MISC"], "url": "https://github.com/langchain-ai/langchain/commit/27add913474e01e33bededf4096151130ba0d47c"}, {"name": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core==1.2.22", "tags": ["x_refsource_MISC"], "url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core==1.2.22"}], "affected": [{"vendor": "langchain-ai", "product": "langchain", "versions": [{"version": "< 1.2.22", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T02:01:49.320Z"}, "descriptions": [{"lang": "en", "value": "LangChain is a framework for building agents and LLM-powered applications. Prior to version 1.2.22, multiple functions in langchain_core.prompts.loading read files from paths embedded in deserialized config dicts without validating against directory traversal or absolute path injection. When an application passes user-influenced prompt configurations to load_prompt() or load_prompt_from_config(), an attacker can read arbitrary files on the host filesystem, constrained only by file-extension checks (.txt for templates, .json/.yaml for examples). This issue has been patched in version 1.2.22."}], "source": {"advisory": "GHSA-qh6h-p6c9-ff54", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-qh6h-p6c9-ff54", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T15:17:33.597003Z", "id": "CVE-2026-34070", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T18:04:59.283Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34070", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T15:17:33.597003Z"}}}], "references": [{"url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-qh6h-p6c9-ff54", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T15:17:43.293Z"}}], "cna": {"title": "LangChain Core has Path Traversal vulnerabilites in legacy `load_prompt` functions", "source": {"advisory": "GHSA-qh6h-p6c9-ff54", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "langchain-ai", "product": "langchain", "versions": [{"status": "affected", "version": "< 1.2.22"}]}], "references": [{"url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-qh6h-p6c9-ff54", "name": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-qh6h-p6c9-ff54", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/langchain-ai/langchain/commit/27add913474e01e33bededf4096151130ba0d47c", "name": "https://github.com/langchain-ai/langchain/commit/27add913474e01e33bededf4096151130ba0d47c", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core==1.2.22", "name": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core==1.2.22", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "LangChain is a framework for building agents and LLM-powered applications. Prior to version 1.2.22, multiple functions in langchain_core.prompts.loading read files from paths embedded in deserialized config dicts without validating against directory traversal or absolute path injection. When an application passes user-influenced prompt configurations to load_prompt() or load_prompt_from_config(), an attacker can read arbitrary files on the host filesystem, constrained only by file-extension checks (.txt for templates, .json/.yaml for examples). This issue has been patched in version 1.2.22."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T02:01:49.320Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34070", "state": "PUBLISHED", "dateUpdated": "2026-03-31T18:04:59.283Z", "dateReserved": "2026-03-25T16:21:40.867Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T02:01:49.320Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:langchain:langchain:*:*:*:*:*:*:*:*", "matchCriteriaId": "B1D0654C-A99F-4835-9A30-865AEED16BC6", "versionEndExcluding": "1.2.22", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "LangChain is a framework for building agents and LLM-powered applications. Prior to version 1.2.22, multiple functions in langchain_core.prompts.loading read files from paths embedded in deserialized config dicts without validating against directory traversal or absolute path injection. When an application passes user-influenced prompt configurations to load_prompt() or load_prompt_from_config(), an attacker can read arbitrary files on the host filesystem, constrained only by file-extension checks (.txt for templates, .json/.yaml for examples). This issue has been patched in version 1.2.22."}, {"lang": "es", "value": "LangChain es un framework para construir agentes y aplicaciones impulsadas por LLM. Antes de la versi\u00f3n 1.2.22, m\u00faltiples funciones en langchain_core.prompts.loading le\u00edan archivos de rutas incrustadas en diccionarios de configuraci\u00f3n deserializados sin validar contra salto de directorio o inyecci\u00f3n de ruta absoluta. Cuando una aplicaci\u00f3n pasa configuraciones de prompt influenciadas por el usuario a load_prompt() o load_prompt_from_config(), un atacante puede leer archivos arbitrarios en el sistema de archivos del host, restringido solo por verificaciones de extensi\u00f3n de archivo (.txt para plantillas, .json/.yaml para ejemplos). Este problema ha sido parcheado en la versi\u00f3n 1.2.22."}], "id": "CVE-2026-34070", "lastModified": "2026-04-02T17:04:43.713", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T03:15:58.947", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/langchain-ai/langchain/commit/27add913474e01e33bededf4096151130ba0d47c"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core==1.2.22"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-qh6h-p6c9-ff54"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-qh6h-p6c9-ff54"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "langchain: path traversal in legacy load_prompt functions in langchain-core", "id": "2453287", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453287"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-22", "details": ["A flaw was found in LangChain. Multiple functions in `langchain_core.prompts.loading` read files from paths embedded in deserialized configuration dictionaries without validation for directory traversal or absolute path injection. When an application passes user-influenced prompt configurations to `load_prompt()` or `load_prompt_from_config()`, an attacker can read arbitrary files on the host filesystem."], "mitigation": {"lang": "en:us", "value": "As described in the statement section, the vulnerable methods are legacy APIs and their use should be avoided. To mitigate this issue, the dumpd, dumps, load and loads methods from langchain_core.load should be used, as they supersede the legacy API and provide a more secure serialization model."}, "name": "CVE-2026-34070", "package_state": [{"cpe": "cpe:/a:redhat:migration_toolkit_applications:8", "fix_state": "Affected", "package_name": "redhat-user-workloads/art-images", "product_name": "Migration Toolkit for Applications 8"}, {"cpe": "cpe:/a:redhat:openshift_lightspeed", "fix_state": "Affected", "package_name": "redhat-user-workloads/lightspeed-service", "product_name": "OpenShift Lightspeed"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "redhat-user-workloads/lightspeed-chatbot-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "redhat-user-workloads/lightspeed-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "redhat-user-workloads/lightspeed-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-llama-stack-core-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-mlflow-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-trustyai-nemo-guardrails-server-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}], "public_date": "2026-03-31T02:01:49Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-34070\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-34070\nhttps://github.com/langchain-ai/langchain/commit/27add913474e01e33bededf4096151130ba0d47c\nhttps://github.com/langchain-ai/langchain/releases/tag/langchain-core==1.2.22\nhttps://github.com/langchain-ai/langchain/security/advisories/GHSA-qh6h-p6c9-ff54"], "statement": "This flaw is exploitable in applications that accept prompt configs from untrusted sources, including low-code AI builders and API wrappers that expose `load_prompt_from_config()`.\nAlso, the affected functions (`load_prompt`, `load_prompt_from_config`, and the `.save()` method on prompt classes) are undocumented legacy APIs. They are superseded by the `dumpd`/`dumps`/`load`/`loads` serialization APIs in `langchain_core.load`, which do not perform filesystem reads and use an allowlist-based security model.\nAn attacker who controls or influences the prompt configuration dictionary can read files outside the intended directory, such as cloud-mounted secrets, internal system prompts, cloud credentials, Kubernetes manifests, CI/CD configs, application settings.\nDue to these reasons, this vulnerability has been rated with an important severity.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.22)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "langchain", "source": "cna", "vendor": "langchain-ai"}, "product": "langchain", "vendor": "langchain-ai"}], "analysis": {"en": {"generated_at": "2026-04-02T22:02:27.911305+00:00", "value": {"mitigation_remediation": ["Apply the LangChain Core release 1.2.22 or later, which contains the path traversal fix.", "If an immediate upgrade is not possible, restrict or sanitize prompt configuration inputs so that file paths cannot contain suspicious sequences such as '..' or absolute paths."], "summary": {"action": "Immediate Patch", "impact": "Remote File Read"}, "threat_synthesis": {"affected_systems": "The affected product is LangChain Core supplied by langchain-ai. Versions earlier than 1.2.22 are vulnerable. All environments running those versions that invoke load_prompt or load_prompt_from_config with user\u2011controlled configuration data are impacted.", "description_and_impact": "The vulnerability in LangChain Core allows an attacker to read arbitrary files on the host file system. The flaw exists in several legacy prompt loading functions that deserialize configuration dictionaries and then open files based on path entries. The code does not sanitize these paths for directory traversal or absolute path injection. An attacker who can influence prompt configuration parameters can cause the application to read any file with an allowed extension (such as .txt, .json, or .yaml), potentially exposing sensitive data. This weakness corresponds to a path traversal flaw (CWE\u201122).", "risk_and_exploitability": "The CVSS score is 7.5, indicating a high severity. The EPSS score is very low (<1%), suggesting that exploitation is currently uncommon in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers could exploit the flaw through any interface that accepts prompt configuration data, which can be supplied by end users or third\u2011party integrations. No special privileges are required beyond the application\u2019s runtime context, so the risk depends on the trust level of the data source."}}}}, "created": "2026-03-31T19:56:22.209276+00:00", "updated": "2026-04-03T09:19:34.208635+00:00", "vendors": ["langchain-ai", "langchain-ai$PRODUCT$langchain"]}