Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
6 vulnerabilities found for langchain_core by langchain
CVE-2026-40087 (GCVE-0-2026-40087)
Vulnerability from nvd – Published: 2026-04-09 19:34 – Updated: 2026-04-14 14:48
VLAI?
Title
LangChain has incomplete f-string validation in prompt templates
Summary
LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.84 and 1.2.28, LangChain's f-string prompt-template validation was incomplete in two respects. First, some prompt template classes accepted f-string templates and formatted them without enforcing the same attribute-access validation as PromptTemplate. In particular, DictPromptTemplate and ImagePromptTemplate could accept templates containing attribute access or indexing expressions and subsequently evaluate those expressions during formatting. Second, f-string validation based on parsed top-level field names did not reject nested replacement fields inside format specifiers. In this pattern, the nested replacement field appears in the format specifier rather than in the top-level field name. As a result, earlier validation based on parsed field names did not reject the template even though Python formatting would still attempt to resolve the nested expression at runtime. This vulnerability is fixed in 0.3.84 and 1.2.28.
Severity ?
5.3 (Medium)
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| langchain-ai | langchain |
Affected:
< 0.3.83
Affected: >= 1.0.0a1, < 1.2.28 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40087",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T14:47:52.978194Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T14:48:03.160Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "langchain",
"vendor": "langchain-ai",
"versions": [
{
"status": "affected",
"version": "\u003c 0.3.83"
},
{
"status": "affected",
"version": "\u003e= 1.0.0a1, \u003c 1.2.28"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.84 and 1.2.28, LangChain\u0027s f-string prompt-template validation was incomplete in two respects. First, some prompt template classes accepted f-string templates and formatted them without enforcing the same attribute-access validation as PromptTemplate. In particular, DictPromptTemplate and ImagePromptTemplate could accept templates containing attribute access or indexing expressions and subsequently evaluate those expressions during formatting. Second, f-string validation based on parsed top-level field names did not reject nested replacement fields inside format specifiers. In this pattern, the nested replacement field appears in the format specifier rather than in the top-level field name. As a result, earlier validation based on parsed field names did not reject the template even though Python formatting would still attempt to resolve the nested expression at runtime. This vulnerability is fixed in 0.3.84 and 1.2.28."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T19:34:55.198Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-926x-3r5x-gfhw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-926x-3r5x-gfhw"
},
{
"name": "https://github.com/langchain-ai/langchain/pull/36612",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langchain-ai/langchain/pull/36612"
},
{
"name": "https://github.com/langchain-ai/langchain/pull/36613",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langchain-ai/langchain/pull/36613"
},
{
"name": "https://github.com/langchain-ai/langchain/commit/6bab0ba3c12328008ddca3e0d54ff5a6151cd27b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langchain-ai/langchain/commit/6bab0ba3c12328008ddca3e0d54ff5a6151cd27b"
},
{
"name": "https://github.com/langchain-ai/langchain/commit/af2ed47c6f008cdd551f3c0d87db3774c8dfe258",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langchain-ai/langchain/commit/af2ed47c6f008cdd551f3c0d87db3774c8dfe258"
},
{
"name": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.84",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.84"
},
{
"name": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.28",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.28"
}
],
"source": {
"advisory": "GHSA-926x-3r5x-gfhw",
"discovery": "UNKNOWN"
},
"title": "LangChain has incomplete f-string validation in prompt templates"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40087",
"datePublished": "2026-04-09T19:34:55.198Z",
"dateReserved": "2026-04-09T00:39:12.206Z",
"dateUpdated": "2026-04-14T14:48:03.160Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-26013 (GCVE-0-2026-26013)
Vulnerability from nvd – Published: 2026-02-10 21:51 – Updated: 2026-02-11 21:26
VLAI?
Title
LangChain affected by SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages
Summary
LangChain is a framework for building agents and LLM-powered applications. Prior to 1.2.11, the ChatOpenAI.get_num_tokens_from_messages() method fetches arbitrary image_url values without validation when computing token counts for vision-enabled models. This allows attackers to trigger Server-Side Request Forgery (SSRF) attacks by providing malicious image URLs in user input. This vulnerability is fixed in 1.2.11.
Severity ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| langchain-ai | langchain |
Affected:
< 1.2.11
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26013",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-11T21:26:20.888102Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-11T21:26:34.029Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "langchain",
"vendor": "langchain-ai",
"versions": [
{
"status": "affected",
"version": "\u003c 1.2.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LangChain is a framework for building agents and LLM-powered applications. Prior to 1.2.11, the ChatOpenAI.get_num_tokens_from_messages() method fetches arbitrary image_url values without validation when computing token counts for vision-enabled models. This allows attackers to trigger Server-Side Request Forgery (SSRF) attacks by providing malicious image URLs in user input. This vulnerability is fixed in 1.2.11."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-10T21:51:07.741Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-2g6r-c272-w58r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-2g6r-c272-w58r"
},
{
"name": "https://github.com/langchain-ai/langchain/commit/2b4b1dc29a833d4053deba4c2b77a3848c834565",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langchain-ai/langchain/commit/2b4b1dc29a833d4053deba4c2b77a3848c834565"
},
{
"name": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.11",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.11"
}
],
"source": {
"advisory": "GHSA-2g6r-c272-w58r",
"discovery": "UNKNOWN"
},
"title": "LangChain affected by SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-26013",
"datePublished": "2026-02-10T21:51:07.741Z",
"dateReserved": "2026-02-09T21:36:29.554Z",
"dateUpdated": "2026-02-11T21:26:34.029Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68664 (GCVE-0-2025-68664)
Vulnerability from nvd – Published: 2025-12-23 22:47 – Updated: 2025-12-24 14:40
VLAI?
Title
LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs
Summary
LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain's dumps() and dumpd() functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in versions 0.3.81 and 1.2.5.
Severity ?
9.3 (Critical)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| langchain-ai | langchain |
Affected:
>= 1.0.0, < 1.2.5
Affected: < 0.3.81 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68664",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-24T14:40:55.506059Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T14:40:58.427Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-c67j-w6g6-q2cm"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "langchain",
"vendor": "langchain-ai",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.2.5"
},
{
"status": "affected",
"version": "\u003c 0.3.81"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain\u0027s dumps() and dumpd() functions. The functions do not escape dictionaries with \u0027lc\u0027 keys when serializing free-form dictionaries. The \u0027lc\u0027 key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in versions 0.3.81 and 1.2.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T22:47:44.084Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-c67j-w6g6-q2cm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-c67j-w6g6-q2cm"
},
{
"name": "https://github.com/langchain-ai/langchain/pull/34455",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langchain-ai/langchain/pull/34455"
},
{
"name": "https://github.com/langchain-ai/langchain/pull/34458",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langchain-ai/langchain/pull/34458"
},
{
"name": "https://github.com/langchain-ai/langchain/commit/5ec0fa69de31bbe3d76e4cf9cd65a6accb8466c8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langchain-ai/langchain/commit/5ec0fa69de31bbe3d76e4cf9cd65a6accb8466c8"
},
{
"name": "https://github.com/langchain-ai/langchain/commit/d9ec4c5cc78960abd37da79b0250f5642e6f0ce6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langchain-ai/langchain/commit/d9ec4c5cc78960abd37da79b0250f5642e6f0ce6"
},
{
"name": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.81",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.81"
},
{
"name": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.5"
}
],
"source": {
"advisory": "GHSA-c67j-w6g6-q2cm",
"discovery": "UNKNOWN"
},
"title": "LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68664",
"datePublished": "2025-12-23T22:47:44.084Z",
"dateReserved": "2025-12-22T23:28:02.917Z",
"dateUpdated": "2025-12-24T14:40:58.427Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40087 (GCVE-0-2026-40087)
Vulnerability from cvelistv5 – Published: 2026-04-09 19:34 – Updated: 2026-04-14 14:48
VLAI?
Title
LangChain has incomplete f-string validation in prompt templates
Summary
LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.84 and 1.2.28, LangChain's f-string prompt-template validation was incomplete in two respects. First, some prompt template classes accepted f-string templates and formatted them without enforcing the same attribute-access validation as PromptTemplate. In particular, DictPromptTemplate and ImagePromptTemplate could accept templates containing attribute access or indexing expressions and subsequently evaluate those expressions during formatting. Second, f-string validation based on parsed top-level field names did not reject nested replacement fields inside format specifiers. In this pattern, the nested replacement field appears in the format specifier rather than in the top-level field name. As a result, earlier validation based on parsed field names did not reject the template even though Python formatting would still attempt to resolve the nested expression at runtime. This vulnerability is fixed in 0.3.84 and 1.2.28.
Severity ?
5.3 (Medium)
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| langchain-ai | langchain |
Affected:
< 0.3.83
Affected: >= 1.0.0a1, < 1.2.28 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40087",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T14:47:52.978194Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T14:48:03.160Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "langchain",
"vendor": "langchain-ai",
"versions": [
{
"status": "affected",
"version": "\u003c 0.3.83"
},
{
"status": "affected",
"version": "\u003e= 1.0.0a1, \u003c 1.2.28"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.84 and 1.2.28, LangChain\u0027s f-string prompt-template validation was incomplete in two respects. First, some prompt template classes accepted f-string templates and formatted them without enforcing the same attribute-access validation as PromptTemplate. In particular, DictPromptTemplate and ImagePromptTemplate could accept templates containing attribute access or indexing expressions and subsequently evaluate those expressions during formatting. Second, f-string validation based on parsed top-level field names did not reject nested replacement fields inside format specifiers. In this pattern, the nested replacement field appears in the format specifier rather than in the top-level field name. As a result, earlier validation based on parsed field names did not reject the template even though Python formatting would still attempt to resolve the nested expression at runtime. This vulnerability is fixed in 0.3.84 and 1.2.28."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T19:34:55.198Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-926x-3r5x-gfhw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-926x-3r5x-gfhw"
},
{
"name": "https://github.com/langchain-ai/langchain/pull/36612",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langchain-ai/langchain/pull/36612"
},
{
"name": "https://github.com/langchain-ai/langchain/pull/36613",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langchain-ai/langchain/pull/36613"
},
{
"name": "https://github.com/langchain-ai/langchain/commit/6bab0ba3c12328008ddca3e0d54ff5a6151cd27b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langchain-ai/langchain/commit/6bab0ba3c12328008ddca3e0d54ff5a6151cd27b"
},
{
"name": "https://github.com/langchain-ai/langchain/commit/af2ed47c6f008cdd551f3c0d87db3774c8dfe258",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langchain-ai/langchain/commit/af2ed47c6f008cdd551f3c0d87db3774c8dfe258"
},
{
"name": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.84",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.84"
},
{
"name": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.28",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.28"
}
],
"source": {
"advisory": "GHSA-926x-3r5x-gfhw",
"discovery": "UNKNOWN"
},
"title": "LangChain has incomplete f-string validation in prompt templates"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40087",
"datePublished": "2026-04-09T19:34:55.198Z",
"dateReserved": "2026-04-09T00:39:12.206Z",
"dateUpdated": "2026-04-14T14:48:03.160Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-26013 (GCVE-0-2026-26013)
Vulnerability from cvelistv5 – Published: 2026-02-10 21:51 – Updated: 2026-02-11 21:26
VLAI?
Title
LangChain affected by SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages
Summary
LangChain is a framework for building agents and LLM-powered applications. Prior to 1.2.11, the ChatOpenAI.get_num_tokens_from_messages() method fetches arbitrary image_url values without validation when computing token counts for vision-enabled models. This allows attackers to trigger Server-Side Request Forgery (SSRF) attacks by providing malicious image URLs in user input. This vulnerability is fixed in 1.2.11.
Severity ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| langchain-ai | langchain |
Affected:
< 1.2.11
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26013",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-11T21:26:20.888102Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-11T21:26:34.029Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "langchain",
"vendor": "langchain-ai",
"versions": [
{
"status": "affected",
"version": "\u003c 1.2.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LangChain is a framework for building agents and LLM-powered applications. Prior to 1.2.11, the ChatOpenAI.get_num_tokens_from_messages() method fetches arbitrary image_url values without validation when computing token counts for vision-enabled models. This allows attackers to trigger Server-Side Request Forgery (SSRF) attacks by providing malicious image URLs in user input. This vulnerability is fixed in 1.2.11."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-10T21:51:07.741Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-2g6r-c272-w58r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-2g6r-c272-w58r"
},
{
"name": "https://github.com/langchain-ai/langchain/commit/2b4b1dc29a833d4053deba4c2b77a3848c834565",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langchain-ai/langchain/commit/2b4b1dc29a833d4053deba4c2b77a3848c834565"
},
{
"name": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.11",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.11"
}
],
"source": {
"advisory": "GHSA-2g6r-c272-w58r",
"discovery": "UNKNOWN"
},
"title": "LangChain affected by SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-26013",
"datePublished": "2026-02-10T21:51:07.741Z",
"dateReserved": "2026-02-09T21:36:29.554Z",
"dateUpdated": "2026-02-11T21:26:34.029Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68664 (GCVE-0-2025-68664)
Vulnerability from cvelistv5 – Published: 2025-12-23 22:47 – Updated: 2025-12-24 14:40
VLAI?
Title
LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs
Summary
LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain's dumps() and dumpd() functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in versions 0.3.81 and 1.2.5.
Severity ?
9.3 (Critical)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| langchain-ai | langchain |
Affected:
>= 1.0.0, < 1.2.5
Affected: < 0.3.81 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68664",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-24T14:40:55.506059Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T14:40:58.427Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-c67j-w6g6-q2cm"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "langchain",
"vendor": "langchain-ai",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.2.5"
},
{
"status": "affected",
"version": "\u003c 0.3.81"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain\u0027s dumps() and dumpd() functions. The functions do not escape dictionaries with \u0027lc\u0027 keys when serializing free-form dictionaries. The \u0027lc\u0027 key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in versions 0.3.81 and 1.2.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T22:47:44.084Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-c67j-w6g6-q2cm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-c67j-w6g6-q2cm"
},
{
"name": "https://github.com/langchain-ai/langchain/pull/34455",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langchain-ai/langchain/pull/34455"
},
{
"name": "https://github.com/langchain-ai/langchain/pull/34458",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langchain-ai/langchain/pull/34458"
},
{
"name": "https://github.com/langchain-ai/langchain/commit/5ec0fa69de31bbe3d76e4cf9cd65a6accb8466c8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langchain-ai/langchain/commit/5ec0fa69de31bbe3d76e4cf9cd65a6accb8466c8"
},
{
"name": "https://github.com/langchain-ai/langchain/commit/d9ec4c5cc78960abd37da79b0250f5642e6f0ce6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langchain-ai/langchain/commit/d9ec4c5cc78960abd37da79b0250f5642e6f0ce6"
},
{
"name": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.81",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.81"
},
{
"name": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.5"
}
],
"source": {
"advisory": "GHSA-c67j-w6g6-q2cm",
"discovery": "UNKNOWN"
},
"title": "LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68664",
"datePublished": "2025-12-23T22:47:44.084Z",
"dateReserved": "2025-12-22T23:28:02.917Z",
"dateUpdated": "2025-12-24T14:40:58.427Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}