LangChain Core has Path Traversal vulnerabilites in legacy `load_prompt` functions
Summary
| CVE | CVE-2026-34070 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-03-31 03:15:58 UTC |
| Updated | 2026-07-10 12:16:41 UTC |
| Description | LangChain is a framework for building agents and LLM-powered applications. Prior to version 1.2.22, multiple functions in langchain_core.prompts.loading read files from paths embedded in deserialized config dicts without validating against directory traversal or absolute path injection. When an application passes user-influenced prompt configurations to load_prompt() or load_prompt_from_config(), an attacker can read arbitrary files on the host filesystem, constrained only by file-extension checks (.txt for templates, .json/.yaml for examples). This issue has been patched in version 1.2.22. |
Risk And Classification
Primary CVSS: v3.1 7.5 HIGH from ADP
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS: 0.012040000 probability, percentile 0.646700000 (date 2026-07-13)
Problem Types: CWE-22 | CWE-22 CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | CVSS | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| 3.1 | [email protected] | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| 3.1 | CNA | DECLARED | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Langchain | Langchain Core | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Langchain-ai | Langchain | affected < 1.2.22 | Not specified |
| ADP | Red Hat | Red Hat Ansible Automation Platform 2.5 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI 3.3 | Not specified | Not specified |
| ADP | Red Hat | OpenShift Lightspeed | Not specified | Not specified |
| ADP | Red Hat | Red Hat Ansible Automation Platform 2 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/security/cve/CVE-2026-34070 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/langchain-ai/langchain/commit/27add913474e01e33bededf40961511... | [email protected] | github.com | Patch |
| access.redhat.com/errata/RHSA-2026:37275 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| github.com/langchain-ai/langchain/releases/tag/langchain-core==1.2.22 | [email protected] | github.com | Release Notes |
| access.redhat.com/errata/RHSA-2026:24766 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/langchain-ai/langchain/security/advisories/GHSA-qh6h-p6c9-ff54 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | github.com | Exploit, Vendor Advisory |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-34070.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-03-31T03:02:19.523Z | Reported to Red Hat. |
| ADP | 2026-03-31T02:01:49.320Z | Made public. |
Solutions
ADP: RHSA-2026:24766: Red Hat Ansible Automation Platform 2.5
ADP: RHSA-2026:37275: Red Hat OpenShift AI 3.3
Workarounds
ADP: As described in the statement section, the vulnerable methods are legacy APIs and their use should be avoided. To mitigate this issue, the dumpd, dumps, load and loads methods from langchain_core.load should be used, as they supersede the legacy API and provide a more secure serialization model.