{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34070", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-25T16:21:40.867Z", "datePublished": "2026-03-31T02:01:49.320Z", "dateUpdated": "2026-03-31T18:04:59.283Z"}, "containers": {"cna": {"title": "LangChain Core has Path Traversal vulnerabilites in legacy `load_prompt` functions", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-qh6h-p6c9-ff54", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-qh6h-p6c9-ff54"}, {"name": "https://github.com/langchain-ai/langchain/commit/27add913474e01e33bededf4096151130ba0d47c", "tags": ["x_refsource_MISC"], "url": "https://github.com/langchain-ai/langchain/commit/27add913474e01e33bededf4096151130ba0d47c"}, {"name": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core==1.2.22", "tags": ["x_refsource_MISC"], "url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core==1.2.22"}], "affected": [{"vendor": "langchain-ai", "product": "langchain", "versions": [{"version": "< 1.2.22", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T02:01:49.320Z"}, "descriptions": [{"lang": "en", "value": "LangChain is a framework for building agents and LLM-powered applications. Prior to version 1.2.22, multiple functions in langchain_core.prompts.loading read files from paths embedded in deserialized config dicts without validating against directory traversal or absolute path injection. When an application passes user-influenced prompt configurations to load_prompt() or load_prompt_from_config(), an attacker can read arbitrary files on the host filesystem, constrained only by file-extension checks (.txt for templates, .json/.yaml for examples). This issue has been patched in version 1.2.22."}], "source": {"advisory": "GHSA-qh6h-p6c9-ff54", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-qh6h-p6c9-ff54", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T15:17:33.597003Z", "id": "CVE-2026-34070", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T18:04:59.283Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34070", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T15:17:33.597003Z"}}}], "references": [{"url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-qh6h-p6c9-ff54", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T15:17:43.293Z"}}], "cna": {"title": "LangChain Core has Path Traversal vulnerabilites in legacy `load_prompt` functions", "source": {"advisory": "GHSA-qh6h-p6c9-ff54", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "langchain-ai", "product": "langchain", "versions": [{"status": "affected", "version": "< 1.2.22"}]}], "references": [{"url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-qh6h-p6c9-ff54", "name": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-qh6h-p6c9-ff54", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/langchain-ai/langchain/commit/27add913474e01e33bededf4096151130ba0d47c", "name": "https://github.com/langchain-ai/langchain/commit/27add913474e01e33bededf4096151130ba0d47c", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core==1.2.22", "name": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core==1.2.22", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "LangChain is a framework for building agents and LLM-powered applications. Prior to version 1.2.22, multiple functions in langchain_core.prompts.loading read files from paths embedded in deserialized config dicts without validating against directory traversal or absolute path injection. When an application passes user-influenced prompt configurations to load_prompt() or load_prompt_from_config(), an attacker can read arbitrary files on the host filesystem, constrained only by file-extension checks (.txt for templates, .json/.yaml for examples). This issue has been patched in version 1.2.22."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T02:01:49.320Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34070", "state": "PUBLISHED", "dateUpdated": "2026-03-31T18:04:59.283Z", "dateReserved": "2026-03-25T16:21:40.867Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T02:01:49.320Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:langchain:langchain:*:*:*:*:*:*:*:*", "matchCriteriaId": "B1D0654C-A99F-4835-9A30-865AEED16BC6", "versionEndExcluding": "1.2.22", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "LangChain is a framework for building agents and LLM-powered applications. Prior to version 1.2.22, multiple functions in langchain_core.prompts.loading read files from paths embedded in deserialized config dicts without validating against directory traversal or absolute path injection. When an application passes user-influenced prompt configurations to load_prompt() or load_prompt_from_config(), an attacker can read arbitrary files on the host filesystem, constrained only by file-extension checks (.txt for templates, .json/.yaml for examples). This issue has been patched in version 1.2.22."}, {"lang": "es", "value": "LangChain es un framework para construir agentes y aplicaciones impulsadas por LLM. Antes de la versi\u00f3n 1.2.22, m\u00faltiples funciones en langchain_core.prompts.loading le\u00edan archivos de rutas incrustadas en diccionarios de configuraci\u00f3n deserializados sin validar contra salto de directorio o inyecci\u00f3n de ruta absoluta. Cuando una aplicaci\u00f3n pasa configuraciones de prompt influenciadas por el usuario a load_prompt() o load_prompt_from_config(), un atacante puede leer archivos arbitrarios en el sistema de archivos del host, restringido solo por verificaciones de extensi\u00f3n de archivo (.txt para plantillas, .json/.yaml para ejemplos). Este problema ha sido parcheado en la versi\u00f3n 1.2.22."}], "id": "CVE-2026-34070", "lastModified": "2026-04-02T17:04:43.713", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T03:15:58.947", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/langchain-ai/langchain/commit/27add913474e01e33bededf4096151130ba0d47c"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core==1.2.22"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-qh6h-p6c9-ff54"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-qh6h-p6c9-ff54"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "langchain: path traversal in legacy load_prompt functions in langchain-core", "id": "2453287", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453287"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-22", "details": ["A flaw was found in LangChain. Multiple functions in `langchain_core.prompts.loading` read files from paths embedded in deserialized configuration dictionaries without validation for directory traversal or absolute path injection. When an application passes user-influenced prompt configurations to `load_prompt()` or `load_prompt_from_config()`, an attacker can read arbitrary files on the host filesystem."], "mitigation": {"lang": "en:us", "value": "As described in the statement section, the vulnerable methods are legacy APIs and their use should be avoided. To mitigate this issue, the dumpd, dumps, load and loads methods from langchain_core.load should be used, as they supersede the legacy API and provide a more secure serialization model."}, "name": "CVE-2026-34070", "package_state": [{"cpe": "cpe:/a:redhat:migration_toolkit_applications:8", "fix_state": "Affected", "package_name": "redhat-user-workloads/art-images", "product_name": "Migration Toolkit for Applications 8"}, {"cpe": "cpe:/a:redhat:openshift_lightspeed", "fix_state": "Affected", "package_name": "redhat-user-workloads/lightspeed-service", "product_name": "OpenShift Lightspeed"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "redhat-user-workloads/lightspeed-chatbot-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "redhat-user-workloads/lightspeed-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "redhat-user-workloads/lightspeed-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-llama-stack-core-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-mlflow-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-trustyai-nemo-guardrails-server-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}], "public_date": "2026-03-31T02:01:49Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-34070\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-34070\nhttps://github.com/langchain-ai/langchain/commit/27add913474e01e33bededf4096151130ba0d47c\nhttps://github.com/langchain-ai/langchain/releases/tag/langchain-core==1.2.22\nhttps://github.com/langchain-ai/langchain/security/advisories/GHSA-qh6h-p6c9-ff54"], "statement": "This flaw is exploitable in applications that accept prompt configs from untrusted sources, including low-code AI builders and API wrappers that expose `load_prompt_from_config()`.\nAlso, the affected functions (`load_prompt`, `load_prompt_from_config`, and the `.save()` method on prompt classes) are undocumented legacy APIs. They are superseded by the `dumpd`/`dumps`/`load`/`loads` serialization APIs in `langchain_core.load`, which do not perform filesystem reads and use an allowlist-based security model.\nAn attacker who controls or influences the prompt configuration dictionary can read files outside the intended directory, such as cloud-mounted secrets, internal system prompts, cloud credentials, Kubernetes manifests, CI/CD configs, application settings.\nDue to these reasons, this vulnerability has been rated with an important severity.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.22)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "langchain", "source": "cna", "vendor": "langchain-ai"}, "product": "langchain", "vendor": "langchain-ai"}], "analysis": {"en": {"generated_at": "2026-03-31T05:22:13.369507+00:00", "value": {"mitigation_remediation": ["Update the langchain-core package to version 1.2.22 or later.", "Validate or sanitize prompt configuration paths before calling load_prompt() or load_prompt_from_config(); reject absolute or parent\u2011directory references.", "Audit existing code to ensure that only trusted prompt templates are loaded and that user\u2011supplied configurations are not directly processed."], "summary": {"action": "Patch Now", "impact": "Arbitrary file read"}, "threat_synthesis": {"affected_systems": "Vulnerable versions belong to the open\u2011source LangChain framework from langchain\u2011ai. Any instance of langchain\u2011core earlier than version\u202f1.2.22 is affected. The issue manifests when the application invokes load_prompt() or load_prompt_from_config() with user\u2011supplied configuration data. Affected vendors include langchain\u2011ai, and the impacted product is the langchain\u2011core Python package.", "description_and_impact": "LangChain Core contains a path traversal flaw in legacy prompt-loading functions. If an attacker can inject a prompt configuration that is deserialized by load_prompt() or load_prompt_from_config(), the code reads files from the host file system without validating the path. The only checks are file extensions (.txt for templates and .json/.yaml for examples). This allows an attacker to exfiltrate any readable file within the filesystem scope, resulting in confidentiality compromise. The CVSS score of 7.5 reflects the high impact on confidentiality without requiring elevated privileges.", "risk_and_exploitability": "With a CVSS score of 7.5 the vulnerability is considered High. Although no EPSS data is available and it is not listed in the CISA KEV catalog, the exploitation path is straightforward: an attacker provides a crafted prompt configuration that includes a file path pointing outside the intended directory. The function then reads the file, limited only by the extension check. Because the vulnerability does not require additional privileges beyond the application's runtime user, the likelihood of exploitation in a web or service environment is significant when untrusted input is passed to these functions."}}}}, "created": "2026-03-31T19:56:22.209276+00:00", "updated": "2026-03-31T20:39:34.385119+00:00", "vendors": ["langchain-ai", "langchain-ai$PRODUCT$langchain"]}