CVE-2026-34070: langchain-core: path traversal exposes host secrets via prompt config

GHSA-qh6h-p6c9-ff54 HIGH CISA: TRACK*
Published March 27, 2026
CISO Take

Any LangChain application that accepts user-supplied prompt configurations is vulnerable to arbitrary file read — including cloud credentials, Kubernetes manifests, and CI/CD configs. Update langchain-core to >=1.2.22 immediately and audit all code paths calling load_prompt() or load_prompt_from_config() with external input. No authentication required, network-exploitable with CVSS 7.5 — treat as urgent if you run LangChain-based APIs or low-code AI builders.

What is the risk?

High risk. CVSS 7.5 with AV:N/AC:L/PR:N/UI:N means zero-click, unauthenticated, remote exploitation with trivial attack complexity. The file-extension constraint (.txt, .json, .yaml) limits scope but does not meaningfully reduce risk — cloud credential files, Docker configs, and Kubernetes manifests all fall within readable extensions. LangChain's massive adoption across enterprise AI stacks means blast radius is broad. Exploitation requires only the ability to influence a config dict passed to the affected functions, which is the design intent of low-code AI builders and API wrappers.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
LangChain Core pip < 1.2.22 1.2.22
140.3K OpenSSF 5.8 4.8K dependents Pushed 7d ago 78% patched ~36d to patch Full package profile →

Do you use LangChain Core? You're affected.

How severe is it?

CVSS 3.1
7.5 / 10
EPSS
1.2%
chance of exploitation in 30 days
Higher than 64% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I None
A None

What should I do?

7 steps
  1. PATCH

    Update langchain-core to >=1.2.22 immediately — this is the only complete fix.

  2. MIGRATE

    Replace load_prompt()/load_prompt_from_config() with the new langchain_core.load serialization APIs (dumpd/dumps/load/loads), which use an allowlist model and perform no filesystem reads.

  3. AUDIT

    Grep codebase and dependencies for imports of langchain_core.prompts.loading — pay attention to third-party LangChain extensions.

  4. NETWORK CONTROLS

    Ensure prompt configuration endpoints are not exposed to untrusted users without authentication.

  5. DETECTION

    Alert on filesystem reads from LangChain process to sensitive paths (/root, /home/*/.*, /mnt/secrets, ~/.docker, ~/.azure, ~/.aws).

  6. RUNTIME

    Apply seccomp/AppArmor profiles to restrict file access from LangChain workers to intended directories only.

  7. WORKAROUND (if patching is delayed): Validate all prompt config dicts server-side — reject any template_path, suffix_path, prefix_path, examples, or example_prompt_path containing '..' or starting with '/'.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art.15 - Accuracy, robustness and cybersecurity Article 9 - Risk Management System
ISO 42001
A.10.1 - Information security for AI systems A.6.1.2 - AI Risk Assessment A.8.4 - Data Security in AI Systems
NIST AI RMF
GOVERN 1.2 - Policies and Procedures for AI Risk GOVERN-6.1 - Policies for AI risk from third-party entities MANAGE 2.2 - Risk Treatment and Response MEASURE-2.5 - Risk from AI components and dependencies
OWASP LLM Top 10
LLM02:2025 - Sensitive Information Disclosure LLM03:2025 - Supply Chain LLM05 - Supply Chain Vulnerabilities LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-34070?

Any LangChain application that accepts user-supplied prompt configurations is vulnerable to arbitrary file read — including cloud credentials, Kubernetes manifests, and CI/CD configs. Update langchain-core to >=1.2.22 immediately and audit all code paths calling load_prompt() or load_prompt_from_config() with external input. No authentication required, network-exploitable with CVSS 7.5 — treat as urgent if you run LangChain-based APIs or low-code AI builders.

Is CVE-2026-34070 actively exploited?

No confirmed active exploitation of CVE-2026-34070 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-34070?

1. PATCH: Update langchain-core to >=1.2.22 immediately — this is the only complete fix. 2. MIGRATE: Replace load_prompt()/load_prompt_from_config() with the new langchain_core.load serialization APIs (dumpd/dumps/load/loads), which use an allowlist model and perform no filesystem reads. 3. AUDIT: Grep codebase and dependencies for imports of langchain_core.prompts.loading — pay attention to third-party LangChain extensions. 4. NETWORK CONTROLS: Ensure prompt configuration endpoints are not exposed to untrusted users without authentication. 5. DETECTION: Alert on filesystem reads from LangChain process to sensitive paths (/root, /home/*/.*, /mnt/secrets, ~/.docker, ~/.azure, ~/.aws). 6. RUNTIME: Apply seccomp/AppArmor profiles to restrict file access from LangChain workers to intended directories only. 7. WORKAROUND (if patching is delayed): Validate all prompt config dicts server-side — reject any template_path, suffix_path, prefix_path, examples, or example_prompt_path containing '..' or starting with '/'.

What systems are affected by CVE-2026-34070?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM application frameworks, RAG pipelines, low-code AI builders, prompt management systems.

What is the CVSS score for CVE-2026-34070?

CVE-2026-34070 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 1.18%.

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM application frameworksRAG pipelineslow-code AI buildersprompt management systems

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0025 Exfiltration via Cyber Means
AML.T0037 Data from Local System
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials

Compliance Controls Affected

EU AI Act: Art.15, Article 9
ISO 42001: A.10.1, A.6.1.2, A.8.4
NIST AI RMF: GOVERN 1.2, GOVERN-6.1, MANAGE 2.2, MEASURE-2.5
OWASP LLM Top 10: LLM02:2025, LLM03:2025, LLM05, LLM06

What are the technical details?

Original Advisory

LangChain is a framework for building agents and LLM-powered applications. Prior to version 1.2.22, multiple functions in langchain_core.prompts.loading read files from paths embedded in deserialized config dicts without validating against directory traversal or absolute path injection. When an application passes user-influenced prompt configurations to load_prompt() or load_prompt_from_config(), an attacker can read arbitrary files on the host filesystem, constrained only by file-extension checks (.txt for templates, .json/.yaml for examples). This issue has been patched in version 1.2.22.

Exploitation Scenario

An attacker targets a SaaS AI platform built on LangChain that allows users to upload custom prompt templates via JSON configuration. They craft a malicious config with template_path set to /run/secrets/db_password.txt (a Docker secret) or examples set to ../../../../.aws/credentials. The platform passes this config directly to load_prompt_from_config() — a common pattern in low-code builders. The function reads the file without path validation and returns its contents as the prompt template, which is then echoed back in the API response or stored in a retrievable location. The attacker now has cloud credentials and proceeds to escalate to full infrastructure compromise. No special knowledge of AI/ML is required — only awareness of common cloud credential file paths.

Weaknesses (CWE)

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Timeline

Published
March 27, 2026
Last Modified
June 30, 2026
First Seen
March 27, 2026

Related Vulnerabilities