CVE-2023-36281: LangChain RCE — CRITICAL

CISO Take

Any LangChain deployment on v0.0.171 or earlier that loads prompt templates from JSON files is vulnerable to unauthenticated remote code execution — no user interaction required. Update to v0.0.312+ immediately and audit all uses of load_prompt() for untrusted input paths. If you cannot patch now, disable external prompt file loading and treat prompt template sources as a trust boundary.

What is the risk?

Severity is maximal: CVSS 9.8 with network-accessible, zero-authentication, zero-interaction exploitation. The __subclasses__ Python class traversal technique is well-documented and PoC code is publicly available, making this trivially exploitable by script-kiddies. LangChain was the dominant LLM framework at time of disclosure, meaning blast radius across the AI/ML ecosystem was exceptionally high. Any internet-facing application built on LangChain that accepts or loads prompt configurations from user-controlled or external sources is at direct risk of full system compromise.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
LangChain	pip	—	No patch
139.8K OpenSSF 5.9 2.7K dependents Pushed 2d ago 24% patched ~156d to patch Full package profile →

Do you use LangChain? You're affected.

How severe is it?

CVSS 3.1

9.8 / 10

EPSS

2.8%

chance of exploitation in 30 days

Higher than 85% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

What should I do?

6 steps

PATCH

Upgrade LangChain to v0.0.312 or later — this is the minimum safe version per the vendor advisory.
AUDIT

Run grep -r 'load_prompt' across all codebases to enumerate every call site.
INPUT VALIDATION

Ensure no user-controlled data reaches prompt template file paths or JSON content.
SANDBOXING

If prompt loading from external sources is required, isolate the LangChain process in a container with minimal privileges and no access to sensitive credentials.
DETECTION

Monitor for unusual subprocess spawning or outbound network connections from LangChain processes.
SECRETS ROTATION

If exposure is suspected, rotate all API keys and credentials accessible to the affected process.

What does CISA's SSVC say?

Decision Attend

Exploitation poc

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Framework Agent AML.T0010.001 - AI Software AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0055 - Unsecured Credentials

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI system operation and monitoring

NIST AI RMF

MANAGE-2.2 - Mechanisms are in place to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM02 - Insecure Output Handling LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2023-36281?

Any LangChain deployment on v0.0.171 or earlier that loads prompt templates from JSON files is vulnerable to unauthenticated remote code execution — no user interaction required. Update to v0.0.312+ immediately and audit all uses of load_prompt() for untrusted input paths. If you cannot patch now, disable external prompt file loading and treat prompt template sources as a trust boundary.

Is CVE-2023-36281 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-36281, increasing the risk of exploitation.

How to fix CVE-2023-36281?

1. PATCH: Upgrade LangChain to v0.0.312 or later — this is the minimum safe version per the vendor advisory. 2. AUDIT: Run grep -r 'load_prompt' across all codebases to enumerate every call site. 3. INPUT VALIDATION: Ensure no user-controlled data reaches prompt template file paths or JSON content. 4. SANDBOXING: If prompt loading from external sources is required, isolate the LangChain process in a container with minimal privileges and no access to sensitive credentials. 5. DETECTION: Monitor for unusual subprocess spawning or outbound network connections from LangChain processes. 6. SECRETS ROTATION: If exposure is suspected, rotate all API keys and credentials accessible to the affected process.

What systems are affected by CVE-2023-36281?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, RAG pipelines, LLM application backends, multi-agent orchestration, prompt management systems.

What is the CVSS score for CVE-2023-36281?

CVE-2023-36281 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 2.83%.

What is the AI security impact?

Affected AI Architectures

agent frameworksRAG pipelinesLLM application backendsmulti-agent orchestrationprompt management systems

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0055 Unsecured Credentials

Compliance Controls Affected

EU AI Act: Art.15

ISO 42001: 8.4

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM02, LLM05

What are the technical details?

Original Advisory

An issue in langchain v.0.0.171 allows a remote attacker to execute arbitrary code via a JSON file to load_prompt. This is related to __subclasses__ or a template.

Exploitation Scenario

An adversary targets a company's internal AI assistant built on LangChain v0.0.171. The application exposes an endpoint that accepts a prompt template configuration file for custom agent personas. The attacker submits a crafted JSON file containing a malicious template that leverages Python's __subclasses__() method to traverse the class hierarchy and access os.system() or subprocess.Popen(). Upon loading, LangChain evaluates the template, executing the attacker's payload — typically a reverse shell or credential harvester. The attacker now has shell access to the AI infrastructure, exfiltrates OpenAI/Anthropic API keys from environment variables, pivots to connected vector databases, and extracts proprietary RAG document stores containing sensitive business data.

Weaknesses (CWE)

CWE-94 Improper Control of Generation of Code ('Code Injection') Primary CWE-94 Improper Control of Generation of Code ('Code Injection')

CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

[Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
[Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.