Description
LangChain is a framework for building agents and LLM-powered applications. Prior to 1.3.9, several LangChain components that resolve filesystem paths or expand search patterns do not consistently confine the resolved path to the intended root directory. Affected behaviors include: a file-search agent middleware that validates a starting directory but not the search pattern or the resolved target of matched files, so glob patterns and symlinks can reach files outside the configured root; prompt- and chain/agent-configuration loaders that accept path fields and resolve them without confining the result to a trusted base or rejecting symlink targets; and path-prefix authorization checks that compare by string prefix without a path-segment boundary, so a sibling path sharing the prefix is accepted. When these components receive path values, search patterns, or workspace contents influenced by an untrusted source — including an LLM acting on untrusted input — the result can be disclosure of files outside the intended boundary. This vulnerability is fixed in 1.3.9.
Published: 2026-06-22
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

LangChain is a Python framework for building LLM‑powered agents. The vulnerability arises from components that resolve filesystem paths and glob patterns without properly restricting them to a defined root. When the framework processes a path field, a search pattern, or a workspace content supplied from an untrusted source—such as user input or text generated by an LLM—an attacker can supply a pattern that traverses directories, follows symlinks, or exploits a faulty prefix check, leading the loader or middleware to read files outside the intended sandbox. This leakage can reveal internal configuration files, secrets, or other sensitive data, compromising confidentiality. The weakness maps to CWE‑22 (Path Traversal) and CWE‑59 (Improper Restriction of Pathname Manipulation).

Affected Systems

The affected products are LangChain and LangChain‑Anthropic libraries under the langchain‑ai purview. Any installation using a version earlier than 1.3.9 is potentially vulnerable. The flaw exists in components such as the file‑search agent middleware, prompt‑ and chain/agent‑configuration loaders, and path‑prefix authorization checks. Both packages receive external path inputs and could be triggered by user‑supplied arguments or LLM‑generated strings. No specific product edition or operating system is mentioned, so any environment running the vulnerable code is at risk—whether a local script, cloud function, or server‑side application.

Risk and Exploitability

The CVSS score of 5.1 indicates a medium impact, and the EPSS score is not available, making the current exploitation probability unknown. The issue is not listed in the CISA KEV catalog, suggesting no publicly known exploits yet. The vulnerability can be exploited by embedding malicious path fragments in input that the framework later interprets without proper validation. Attackers who control the data channel feeding paths—such as an LLM endpoint that accepts user prompts—could trigger the path traversal and obtain filesystem data outside the intended sandbox.

Generated by OpenCVE AI on June 22, 2026 at 19:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LangChain to version 1.3.9 or later to apply the path‑restriction fix.
  • If an upgrade is not immediately possible, configure the file‑search middleware and loaders to reject any paths that resolve outside a pre‑defined safe directory, for example by validating the resolved absolute path against the configured root before use.
  • Validate any user or LLM‑generated path strings against a strict whitelist or regex pattern that disallows ".." and symlink references; optionally sandbox the execution environment to isolate the workspace.

Generated by OpenCVE AI on June 22, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description LangChain is a framework for building agents and LLM-powered applications. Prior to 1.3.9, several LangChain components that resolve filesystem paths or expand search patterns do not consistently confine the resolved path to the intended root directory. Affected behaviors include: a file-search agent middleware that validates a starting directory but not the search pattern or the resolved target of matched files, so glob patterns and symlinks can reach files outside the configured root; prompt- and chain/agent-configuration loaders that accept path fields and resolve them without confining the result to a trusted base or rejecting symlink targets; and path-prefix authorization checks that compare by string prefix without a path-segment boundary, so a sibling path sharing the prefix is accepted. When these components receive path values, search patterns, or workspace contents influenced by an untrusted source — including an LLM acting on untrusted input — the result can be disclosure of files outside the intended boundary. This vulnerability is fixed in 1.3.9.
Title LangChain: Path traversal and sandbox escape in LangChain file-search middleware and loaders
Weaknesses CWE-22
CWE-59
References
Metrics cvssV3_1

{'score': 5.1, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T17:22:06.808Z

Reserved: 2026-06-16T21:59:57.018Z

Link: CVE-2026-55443

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T19:30:06Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE-59

    Improper Link Resolution Before File Access ('Link Following')