Browse all 34 CVE security advisories affecting langchain-ai. AI-powered Chinese analysis, POCs, and references for each vulnerability.
Langchain-ai provides a framework for developing applications powered by large language models, primarily facilitating the integration of external data sources and tools into AI workflows. Its architecture, which often involves dynamic code execution and complex dependency management, has historically exposed users to significant risks. Security audits reveal thirty-four recorded Common Vulnerabilities and Exposures (CVEs), predominantly involving remote code execution, arbitrary file reads, and injection flaws. These vulnerabilities frequently stem from insufficient input validation in prompt templates and unsafe handling of untrusted data within chains. Notable incidents include critical flaws allowing attackers to execute arbitrary commands on host systems through manipulated LLM outputs or malicious tool definitions. The project’s reliance on third-party libraries and its flexible, often opaque, execution paths have contributed to a high vulnerability surface. Users must rigorously sanitize inputs and isolate execution environments to mitigate these inherent risks associated with dynamic AI application development.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-40087 | LangChain has incomplete f-string validation in prompt templates — langchainCWE-1336 | 5.3 | Medium | 2026-04-09 |
| CVE-2026-34070 | LangChain Core has Path Traversal vulnerabilites in legacy `load_prompt` functions — langchainCWE-22 | 7.5 | High | 2026-03-31 |
| CVE-2026-26013 | LangChain affected by SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages — langchainCWE-918 | 3.7 | Low | 2026-02-10 |
| CVE-2025-68664 | LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs — langchainCWE-502 | 9.3 | Critical | 2025-12-23 |
| CVE-2025-65106 | LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates — langchainCWE-1336 | 8.8 | - | 2025-11-21 |
This page lists every published CVE security advisory associated with langchain-ai. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.