CVE-2026-34070
published 2026-03-31CVE-2026-34070: LangChain is a framework for building agents and LLM-powered applications. Prior to version 1.2.22, multiple functions in langchain_core.prompts.loading read…
PriorityP352high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
1.18%
63.7th percentile
LangChain is a framework for building agents and LLM-powered applications. Prior to version 1.2.22, multiple functions in langchain_core.prompts.loading read files from paths embedded in deserialized config dicts without validating against directory traversal or absolute path injection. When an application passes user-influenced prompt configurations to load_prompt() or load_prompt_from_config(), an attacker can read arbitrary files on the host filesystem, constrained only by file-extension checks (.txt for templates, .json/.yaml for examples). This issue has been patched in version 1.2.22.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| langchain-ai | langchain | < 1.2.22 | 1.2.22 |
| langchain | langchain_core | < 1.2.22 | 1.2.22 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
LangChain Core has Path Traversal vulnerabilites in legacy `load_prompt` functions
ghsa·2026-03-27
CVE-2026-34070 [HIGH] CWE-22 LangChain Core has Path Traversal vulnerabilites in legacy `load_prompt` functions
LangChain Core has Path Traversal vulnerabilites in legacy `load_prompt` functions
## Summary
Multiple functions in `langchain_core.prompts.loading` read files from paths embedded in deserialized config dicts without validating against directory traversal or absolute path injection. When an application passes user-influenced prompt configurations to `load_prompt()` or `load_prompt_from_config()`, an attacker can read arbitrary files on the host filesystem, constrained only by file-extension checks (`.txt` for templates, `.json`/`.yaml` for examples).
**Note:** The affected functions (`load_prompt`, `load_prompt_from_config`, and the `.save()` method on prompt classes) are undocumented legacy APIs. They are superseded by the `dumpd`/`dumps`/`load`/`loads` serialization APIs in `langchain
OSV
LangChain Core has Path Traversal vulnerabilites in legacy `load_prompt` functions
osv·2026-03-27
CVE-2026-34070 [HIGH] LangChain Core has Path Traversal vulnerabilites in legacy `load_prompt` functions
LangChain Core has Path Traversal vulnerabilites in legacy `load_prompt` functions
## Summary
Multiple functions in `langchain_core.prompts.loading` read files from paths embedded in deserialized config dicts without validating against directory traversal or absolute path injection. When an application passes user-influenced prompt configurations to `load_prompt()` or `load_prompt_from_config()`, an attacker can read arbitrary files on the host filesystem, constrained only by file-extension checks (`.txt` for templates, `.json`/`.yaml` for examples).
**Note:** The affected functions (`load_prompt`, `load_prompt_from_config`, and the `.save()` method on prompt classes) are undocumented legacy APIs. They are superseded by the `dumpd`/`dumps`/`load`/`loads` serialization APIs in `langchain
Red Hat
langchain: path traversal in legacy load_prompt functions in langchain-core
vendor_redhat·2026-03-31·CVSS 7.5
CVE-2026-34070 [HIGH] CWE-22 langchain: path traversal in legacy load_prompt functions in langchain-core
langchain: path traversal in legacy load_prompt functions in langchain-core
LangChain is a framework for building agents and LLM-powered applications. Prior to version 1.2.22, multiple functions in langchain_core.prompts.loading read files from paths embedded in deserialized config dicts without validating against directory traversal or absolute path injection. When an application passes user-influenced prompt configurations to load_prompt() or load_prompt_from_config(), an attacker can read arbitrary files on the host filesystem, constrained only by file-extension checks (.txt for templates, .json/.yaml for examples). This issue has been patched in version 1.2.22.
A flaw was found in LangChain. Multiple functions in `langchain_core.prompts.loading` read files from paths embedded in dese
No detection rules found.
No public exploits indexed.
Securelist
Exploits and vulnerabilities in Q1 2026
blogs_securelist·2026-05-07·CVSS 7.8
CVE-2026-21519 [HIGH] Exploits and vulnerabilities in Q1 2026
Alexander Kolesnikov
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most common published exploits
Vulnerability exploitation in APT attacks
C2 frameworks
Notable vulnerabilities
CVE-2026-21519: Desktop Window Manager vulnerability
RegPwn (CVE-2026-21533): a system settings access control vulnerability
CVE-2026-21514: a Microsoft Office vulnerability
Clawdbot (CVE-2026-25253): an OpenClaw vulnerability
CVE-2026-34070: LangChain framework vulnerability
CVE-2026-22812: an OpenCode vulnerability
Conclusion and advice
Authors
Alexander Kolesnikov
During Q1 2026, the exploit kits leveraged by threat actors to target user systems expanded once again, incorporating new exploits for the Microsoft Off
Hackernews
LangChain, LangGraph Flaws Expose Files, Secrets, Databases in Widely Used AI Frameworks
blogs_hackernews·2026-03-27·CVSS 7.3
[HIGH] LangChain, LangGraph Flaws Expose Files, Secrets, Databases in Widely Used AI Frameworks
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## LangChain, LangGraph Flaws Expose Files, Secrets, Databases in Widely Used AI Frameworks
Cybersecurity researchers have disclosed three security vulnerabilities impacting LangChain and LangGraph that, if successfully exploited, could expose filesystem data, environment secrets, and conversation history.
Both LangChain and LangGraph are open-source frameworks that are used to build applications powered by Large Language Models (LLMs). LangGraph is built on the foundations of LangChain for more sophisticated and non-linear agentic workflows. According to statistics on the Python Package Index (PyPI), LangChain, LangChain-Core,
Wiz
CVE-2026-34070 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-34070 [HIGH] CVE-2026-34070 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34070 :
Python vulnerability analysis and mitigation
LangChain is a framework for building agents and LLM-powered applications. Prior to version 1.2.22, multiple functions in langchain_core.prompts.loading read files from paths embedded in deserialized config dicts without validating against directory traversal or absolute path injection. When an application passes user-influenced prompt configurations to load_prompt() or load_prompt_from_config(), an attacker can read arbitrary files on the host filesystem, constrained only by file-extension checks (.txt for templates, .json/.yaml for examples). This issue has been patched in version 1.2.22.
Source : NVD
## 7.5
Score
Published March 31, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Python
Has Public Explo
https://github.com/langchain-ai/langchain/commit/27add913474e01e33bededf4096151130ba0d47chttps://github.com/langchain-ai/langchain/releases/tag/langchain-core==1.2.22https://github.com/langchain-ai/langchain/security/advisories/GHSA-qh6h-p6c9-ff54https://access.redhat.com/errata/RHSA-2026:24766https://access.redhat.com/security/cve/CVE-2026-34070https://bugzilla.redhat.com/show_bug.cgi?id=2453287https://github.com/langchain-ai/langchain/security/advisories/GHSA-qh6h-p6c9-ff54https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-34070.json
2026-03-31
Published