Description
LangGraph Python SDK is used to connect to running LangGraph API servers, manage assistants, threads and stream runs from Python applications. Versions 0.3.14 and prior have unsafe URL path construction through unsanitized caller-supplied identifier values used in HTTP request paths for resource operations. Without sanitization of those values, identifiers that contain characters with special meaning in URL paths could cause the resulting request to address a different resource (and potentially a different resource type) than the SDK method's call site indicates. In deployments where the SDK receives identifier values that originate from untrusted sources, this could result in unintended access, modification, or deletion of resources beyond the calling user's authorization scope. This issue is most consequential in deployments that forward end-user-supplied values directly into SDK identifier parameters without first validating them against an expected format (such as a UUID), and rely on URL-prefix-based authorization at an upstream layer (reverse proxy, edge gateway, WAF), where the authorization decision is made on the SDK call's intended path rather than on the final delivered request path. The issue has been fixed in version 0.3.15.
Published: 2026-06-16
Score: 4.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the LangGraph Python SDK, which builds HTTP request paths from caller‑supplied identifier values without sanitization. When an identifier contains characters that have special meaning in URL paths, the SDK can construct a path that points to a different resource or resource type than intended. Consequently an attacker can unintentionally access, modify, or delete resources outside the calling user's authorization scope. This flaw implicates CWE‑22 for path traversal and CWE‑863 for missing input validation.

Affected Systems

The affected products are the LangChain AI LangGraph Python SDK and related libraries from langchain‑ai. Versions 0.3.14 and earlier are impacted; the fix was released in version 0.3.15.

Risk and Exploitability

The CVSS score of 4.2 indicates a low severity, and the EPSS score of less than 1% suggests a very low but non‑zero chance of exploitation. The flaw is not listed in the CISA KEV catalog. Exploitation would require an attacker to supply or manipulate an identifier value that originates from an untrusted source, such as an end‑user input passed to the SDK. If the deployment relies on upstream URL‑prefix based authorization, the attack could bypass those controls by redirecting the request to an unintended resource.

Generated by OpenCVE AI on June 17, 2026 at 20:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the LangGraph SDK to version 0.3.15 or later, which removes the unsafe path construction.
  • Before passing identifier values to the SDK, perform strict validation against an expected format (e.g., a UUID) and sanitize any characters that have special meaning in URLs.
  • Ensure upstream authorization mechanisms evaluate the actual request path, not only the intended SDK path, or enforce stricter access controls that are independent of the SDK’s path construction.

Generated by OpenCVE AI on June 17, 2026 at 20:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w39p-vh2g-g8g5 LangGraph SDK has unsafe URL path construction
History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Langchain-ai
Langchain-ai langchain
Langchain-ai langchain-sdk
Vendors & Products Langchain-ai
Langchain-ai langchain
Langchain-ai langchain-sdk

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description LangGraph Python SDK is used to connect to running LangGraph API servers, manage assistants, threads and stream runs from Python applications. Versions 0.3.14 and prior have unsafe URL path construction through unsanitized caller-supplied identifier values used in HTTP request paths for resource operations. Without sanitization of those values, identifiers that contain characters with special meaning in URL paths could cause the resulting request to address a different resource (and potentially a different resource type) than the SDK method's call site indicates. In deployments where the SDK receives identifier values that originate from untrusted sources, this could result in unintended access, modification, or deletion of resources beyond the calling user's authorization scope. This issue is most consequential in deployments that forward end-user-supplied values directly into SDK identifier parameters without first validating them against an expected format (such as a UUID), and rely on URL-prefix-based authorization at an upstream layer (reverse proxy, edge gateway, WAF), where the authorization decision is made on the SDK call's intended path rather than on the final delivered request path. The issue has been fixed in version 0.3.15.
Title LangGraph SDK has unsafe URL path construction
Weaknesses CWE-22
CWE-863
References
Metrics cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N'}


Subscriptions

Langchain-ai Langchain Langchain-sdk
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-17T14:02:24.568Z

Reserved: 2026-05-22T19:39:05.357Z

Link: CVE-2026-48776

cve-icon Vulnrichment

Updated: 2026-06-17T14:02:17.441Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-16T19:51:09Z

Links: CVE-2026-48776 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:44:50Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE-863

    Incorrect Authorization