CVE-2026-34070 — HIGH (CVSS 7.5)

CISO Take

Any LangChain application that accepts user-supplied prompt configurations is vulnerable to arbitrary file read — including cloud credentials, Kubernetes manifests, and CI/CD configs. Update langchain-core to >=1.2.22 immediately and audit all code paths calling load_prompt() or load_prompt_from_config() with external input. No authentication required, network-exploitable with CVSS 7.5 — treat as urgent if you run LangChain-based APIs or low-code AI builders.

What is the risk?

High risk. CVSS 7.5 with AV:N/AC:L/PR:N/UI:N means zero-click, unauthenticated, remote exploitation with trivial attack complexity. The file-extension constraint (.txt, .json, .yaml) limits scope but does not meaningfully reduce risk — cloud credential files, Docker configs, and Kubernetes manifests all fall within readable extensions. LangChain's massive adoption across enterprise AI stacks means blast radius is broad. Exploitation requires only the ability to influence a config dict passed to the affected functions, which is the design intent of low-code AI builders and API wrappers.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
langchain-core	pip	< 1.2.22	`1.2.22`
136.3K OpenSSF 6.4 4.4K dependents Pushed 5d ago 88% patched ~20d to patch Full package profile →

Do you use langchain-core? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 11% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I None

A None

What should I do?

7 steps

PATCH

Update langchain-core to >=1.2.22 immediately — this is the only complete fix.
MIGRATE

Replace load_prompt()/load_prompt_from_config() with the new langchain_core.load serialization APIs (dumpd/dumps/load/loads), which use an allowlist model and perform no filesystem reads.
AUDIT

Grep codebase and dependencies for imports of langchain_core.prompts.loading — pay attention to third-party LangChain extensions.
NETWORK CONTROLS

Ensure prompt configuration endpoints are not exposed to untrusted users without authentication.
DETECTION

Alert on filesystem reads from LangChain process to sensitive paths (/root, /home/*/.*, /mnt/secrets, ~/.docker, ~/.azure, ~/.aws).
RUNTIME

Apply seccomp/AppArmor profiles to restrict file access from LangChain workers to intended directories only.
WORKAROUND (if patching is delayed): Validate all prompt config dicts server-side — reject any template_path, suffix_path, prefix_path, examples, or example_prompt_path containing '..' or starting with '/'.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Data Leakage Framework AML.T0010.001 - AI Software AML.T0025 - Exfiltration via Cyber Means AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity Article 9 - Risk Management System

ISO 42001

A.10.1 - Information security for AI systems A.6.1.2 - AI Risk Assessment A.8.4 - Data Security in AI Systems

NIST AI RMF

GOVERN 1.2 - Policies and Procedures for AI Risk GOVERN-6.1 - Policies for AI risk from third-party entities MANAGE 2.2 - Risk Treatment and Response MEASURE-2.5 - Risk from AI components and dependencies

OWASP LLM Top 10

LLM02:2025 - Sensitive Information Disclosure LLM03:2025 - Supply Chain LLM05 - Supply Chain Vulnerabilities LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-34070?

Any LangChain application that accepts user-supplied prompt configurations is vulnerable to arbitrary file read — including cloud credentials, Kubernetes manifests, and CI/CD configs. Update langchain-core to >=1.2.22 immediately and audit all code paths calling load_prompt() or load_prompt_from_config() with external input. No authentication required, network-exploitable with CVSS 7.5 — treat as urgent if you run LangChain-based APIs or low-code AI builders.

Is CVE-2026-34070 actively exploited?

No confirmed active exploitation of CVE-2026-34070 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-34070?

1. PATCH: Update langchain-core to >=1.2.22 immediately — this is the only complete fix. 2. MIGRATE: Replace load_prompt()/load_prompt_from_config() with the new langchain_core.load serialization APIs (dumpd/dumps/load/loads), which use an allowlist model and perform no filesystem reads. 3. AUDIT: Grep codebase and dependencies for imports of langchain_core.prompts.loading — pay attention to third-party LangChain extensions. 4. NETWORK CONTROLS: Ensure prompt configuration endpoints are not exposed to untrusted users without authentication. 5. DETECTION: Alert on filesystem reads from LangChain process to sensitive paths (/root, /home/*/.*, /mnt/secrets, ~/.docker, ~/.azure, ~/.aws). 6. RUNTIME: Apply seccomp/AppArmor profiles to restrict file access from LangChain workers to intended directories only. 7. WORKAROUND (if patching is delayed): Validate all prompt config dicts server-side — reject any template_path, suffix_path, prefix_path, examples, or example_prompt_path containing '..' or starting with '/'.

What systems are affected by CVE-2026-34070?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM application frameworks, RAG pipelines, low-code AI builders, prompt management systems.

What is the CVSS score for CVE-2026-34070?

CVE-2026-34070 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.03%.

Technical Details

NVD Description

LangChain is a framework for building agents and LLM-powered applications. Prior to version 1.2.22, multiple functions in langchain_core.prompts.loading read files from paths embedded in deserialized config dicts without validating against directory traversal or absolute path injection. When an application passes user-influenced prompt configurations to load_prompt() or load_prompt_from_config(), an attacker can read arbitrary files on the host filesystem, constrained only by file-extension checks (.txt for templates, .json/.yaml for examples). This issue has been patched in version 1.2.22.

Exploitation Scenario

An attacker targets a SaaS AI platform built on LangChain that allows users to upload custom prompt templates via JSON configuration. They craft a malicious config with template_path set to /run/secrets/db_password.txt (a Docker secret) or examples set to ../../../../.aws/credentials. The platform passes this config directly to load_prompt_from_config() — a common pattern in low-code builders. The function reads the file without path validation and returns its contents as the prompt template, which is then echoed back in the API response or stored in a retrievable location. The attacker now has cloud credentials and proceeds to escalate to full infrastructure compromise. No special knowledge of AI/ML is required — only awareness of common cloud credential file paths.