CVE-2026-44843 - Vulnerability Details

Description

LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.85 and 1.3.3, LangChain contains older runtime code paths that deserialize run inputs, run outputs, or other application-controlled payloads using overly broad object allowlists. These paths may call load() with allowed_objects="all". This does not enable arbitrary Python object deserialization, but it does allow any trusted LangChain-serializable object to be revived, which is broader than these runtime paths require. As a result, attacker-supplied LangChain serialized constructor dictionaries may cause trusted runtime paths to instantiate classes with untrusted constructor arguments. This vulnerability is fixed in 0.3.85 and 1.3.3.

Published: 2026-05-26

Score: 8.2 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

LangChain contains a deserialization flaw in its runtime handling of run inputs, run outputs, and other application-controlled payloads, where the `load()` function is invoked with an overly permissive allowlist that accepts all LangChain-serializable objects. Although this does not enable arbitrary Python object deserialization, it allows any trusted LangChain-serializable constructor dictionary to be revived, which means an attacker can supply a dictionary that will be used to instantiate classes with untrusted constructor arguments. This flaw aligns with CWE‑502 and can potentially lead to code execution or other unintended behavior in the runtime environment.

Affected Systems

The affected product is the langchain-ai LangChain framework for Python. Versions earlier than 0.3.85 and earlier than 1.3.3 are vulnerable; all later releases include the fix.

Risk and Exploitability

The CVSS score of 8.2 reflects a high severity vulnerability that grants high impact. EPSS is not available, and the vulnerability is not listed in CISA's KEV catalog. The likely attack vector is through any application that enables user-provided data to be passed to LangChain’s deserialization routines, which could be local or remote depending on the application architecture. The existing mitigation requires updating the library to a fixed version.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

langchain-ai

langchain

affected

Version	Status	Constraints
`< 0.3.85`	affected	—
`>= 1.0.0a1, < 1.3.3`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the LangChain library to version 0.3.85 or later, or to 1.3.3 or later, to apply the vendor-supplied fix.
Verify that the application no longer uses `load()` with an all‑inclusive `allowed_objects` allowlist or other legacy runtime deserialization paths.
If upgrading is not immediately possible, review and constrain any use of `load()` to a narrowly scoped allowlist that includes only the minimal set of classes required for normal operation.

Generated by OpenCVE AI on May 26, 2026 at 21:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-pjwx-r37v-7724	LangChain vulnerable to unsafe deserialization of attacker-controlled objects through overly broad `load()` allowlists

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/langchain-ai/langchain/security/advisories/GHSA-pjwx-r37v-7724

History

Tue, 26 May 2026 20:30:00 +0000

Type	Values Removed	Values Added
Description		LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.85 and 1.3.3, LangChain contains older runtime code paths that deserialize run inputs, run outputs, or other application-controlled payloads using overly broad object allowlists. These paths may call load() with allowed_objects="all". This does not enable arbitrary Python object deserialization, but it does allow any trusted LangChain-serializable object to be revived, which is broader than these runtime paths require. As a result, attacker-supplied LangChain serialized constructor dictionaries may cause trusted runtime paths to instantiate classes with untrusted constructor arguments. This vulnerability is fixed in 0.3.85 and 1.3.3.
Title		LangChain: Unsafe deserialization of attacker-controlled LangChain objects through overly broad `load()` allowlists
Weaknesses		CWE-502
References		https://github.com/langchain-ai/langchain/security/advisories/GHSA-pjwx-r37v-7724
Metrics		cvssV3_1 `{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-26T19:47:35.328Z

Updated: 2026-05-26T19:47:35.328Z

Reserved: 2026-05-07T21:21:48.352Z

Link: CVE-2026-44843

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-26T21:16:39.003

Modified: 2026-05-26T21:16:39.003

Link: CVE-2026-44843

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-26T22:00:15Z

Weaknesses

CWE-502

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object