CVE-2026-40087: LangChain template injection leaks

CISO Take

LangChain's DictPromptTemplate and ImagePromptTemplate classes failed to enforce attribute-access validation, allowing an attacker to inject f-string expressions like {obj.__class__.__init__.__globals__} that Python's formatter evaluates at runtime — potentially exposing API keys, environment variables, or application secrets embedded in the runtime object graph. LangChain is the most widely deployed LLM framework in production, and the attack requires no authentication and zero user interaction (CVSS AV:N/AC:L/PR:N/UI:N), making any application that passes user-controlled strings into these template classes immediately reachable; however, CISA KEV lists no active exploitation and no public exploits or scanner templates exist as of this writing. Patch langchain-core to ≥0.3.84 (0.x branch) or ≥1.2.28 (1.x branch) and audit all DictPromptTemplate and ImagePromptTemplate usage for user-supplied template string inputs.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Medium risk (CVSS 5.3) with an elevated operational concern due to LangChain's ubiquity across AI stacks. Low attack complexity and no authentication requirement lower the bar for exploitation significantly — any internet-exposed LangChain application accepting user-defined templates is in scope. The immediate impact is confidentiality only (no integrity or availability), but in AI agent contexts attribute traversal can reach tool configurations, memory stores, and credential objects. No CISA KEV listing, no EPSS data, and no public exploits reduce urgency compared to a critical, but the ease of exploitation and framework prevalence keep this in the 'patch this sprint' category.

How does the attack unfold?

Template Crafting

Adversary crafts a malicious f-string template embedding Python attribute traversal expressions (e.g., {obj.__class__.__init__.__globals__[os].environ[SECRET]}) targeting DictPromptTemplate or ImagePromptTemplate input fields.

AML.T0065

Validation Bypass

The crafted template passes LangChain's incomplete field-name validation because attribute-access and nested-specifier checks are not enforced in the affected template classes.

AML.T0049

Runtime Evaluation

When the application formats the template with a legitimate query, Python's str.format() resolves the injected attribute chain at runtime, traversing the application's live object graph.

AML.T0051.000

Data Exfiltration

Sensitive application state — API keys, environment variables, database credentials, or internal configuration — is embedded in the formatted prompt string and exposed through LLM output, application logs, or API responses.

AML.T0057

Template Crafting

Adversary crafts a malicious f-string template embedding Python attribute traversal expressions (e.g., {obj.__class__.__init__.__globals__[os].environ[SECRET]}) targeting DictPromptTemplate or ImagePromptTemplate input fields.

AML.T0065

Validation Bypass

The crafted template passes LangChain's incomplete field-name validation because attribute-access and nested-specifier checks are not enforced in the affected template classes.

AML.T0049

Runtime Evaluation

When the application formats the template with a legitimate query, Python's str.format() resolves the injected attribute chain at runtime, traversing the application's live object graph.

AML.T0051.000

Data Exfiltration

Sensitive application state — API keys, environment variables, database credentials, or internal configuration — is embedded in the formatted prompt string and exposed through LLM output, application logs, or API responses.

AML.T0057

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
LangChain	pip	—	No patch
139.8K OpenSSF 5.9 2.7K dependents Pushed 2d ago 24% patched ~156d to patch Full package profile →
LangChain Core	pip	—	No patch
139.8K OpenSSF 5.9 4.8K dependents Pushed 2d ago 78% patched ~23d to patch Full package profile →

How severe is it?

CVSS 3.1

5.3 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 17% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C Low

I None

A None

What should I do?

5 steps

Patch: Upgrade langchain-core to ≥0.3.84 (0.x branch) or ≥1.2.28 (1.x branch); verify via pip show langchain-core.
Audit: Search codebase for DictPromptTemplate and ImagePromptTemplate instantiations — flag every instance where the template string parameter originates from user input, environment variables read at runtime, or external data sources.
Workaround if patching is delayed: validate template strings with a strict allowlist regex that rejects any curly-brace expression containing dot notation, bracket indexing, or nested braces (pattern: r'\{[^}]*[.\[][^}]*\}' or nested \{.*\{).
Detection: Monitor LLM prompt logs and application output for Python object repr() strings, __dict__ dumps, or unexpected serializations that indicate attribute traversal succeeded.
Defense-in-depth: Never pass raw user input as a template string — use PromptTemplate with validated variable substitution only.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Prompt Injection Data Extraction Framework AML.T0049 - Exploit Public-Facing Application AML.T0051.000 - Direct AML.T0057 - LLM Data Leakage

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

8.4 - AI system operation — data and input quality controls

NIST AI RMF

MAP-5.2 - AI system practices and personnel are evaluated for trustworthiness

OWASP LLM Top 10

LLM01:2025 - Prompt Injection LLM02:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-40087?

LangChain's DictPromptTemplate and ImagePromptTemplate classes failed to enforce attribute-access validation, allowing an attacker to inject f-string expressions like {obj.__class__.__init__.__globals__} that Python's formatter evaluates at runtime — potentially exposing API keys, environment variables, or application secrets embedded in the runtime object graph. LangChain is the most widely deployed LLM framework in production, and the attack requires no authentication and zero user interaction (CVSS AV:N/AC:L/PR:N/UI:N), making any application that passes user-controlled strings into these template classes immediately reachable; however, CISA KEV lists no active exploitation and no public exploits or scanner templates exist as of this writing. Patch langchain-core to ≥0.3.84 (0.x branch) or ≥1.2.28 (1.x branch) and audit all DictPromptTemplate and ImagePromptTemplate usage for user-supplied template string inputs.

Is CVE-2026-40087 actively exploited?

No confirmed active exploitation of CVE-2026-40087 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-40087?

1. Patch: Upgrade langchain-core to ≥0.3.84 (0.x branch) or ≥1.2.28 (1.x branch); verify via pip show langchain-core. 2. Audit: Search codebase for DictPromptTemplate and ImagePromptTemplate instantiations — flag every instance where the template string parameter originates from user input, environment variables read at runtime, or external data sources. 3. Workaround if patching is delayed: validate template strings with a strict allowlist regex that rejects any curly-brace expression containing dot notation, bracket indexing, or nested braces (pattern: r'\{[^}]*[.\[][^}]*\}' or nested \{.*\{). 4. Detection: Monitor LLM prompt logs and application output for Python object repr() strings, __dict__ dumps, or unexpected serializations that indicate attribute traversal succeeded. 5. Defense-in-depth: Never pass raw user input as a template string — use PromptTemplate with validated variable substitution only.

What systems are affected by CVE-2026-40087?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, RAG pipelines, LLM application backends, chatbot implementations.

What is the CVSS score for CVE-2026-40087?

CVE-2026-40087 has a CVSS v3.1 base score of 5.3 (MEDIUM). The EPSS exploitation probability is 0.26%.

What is the AI security impact?

Affected AI Architectures

agent frameworksRAG pipelinesLLM application backendschatbot implementations

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0051.000 Direct

AML.T0057 LLM Data Leakage

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: 8.4

NIST AI RMF: MAP-5.2

OWASP LLM Top 10: LLM01:2025, LLM02:2025

What are the technical details?

Original Advisory

LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.84 and 1.2.28, LangChain's f-string prompt-template validation was incomplete in two respects. First, some prompt template classes accepted f-string templates and formatted them without enforcing the same attribute-access validation as PromptTemplate. In particular, DictPromptTemplate and ImagePromptTemplate could accept templates containing attribute access or indexing expressions and subsequently evaluate those expressions during formatting. Second, f-string validation based on parsed top-level field names did not reject nested replacement fields inside format specifiers. In this pattern, the nested replacement field appears in the format specifier rather than in the top-level field name. As a result, earlier validation based on parsed field names did not reject the template even though Python formatting would still attempt to resolve the nested expression at runtime. This vulnerability is fixed in 0.3.84 and 1.2.28.

Exploitation Scenario

An adversary targets a customer-facing LangChain application that lets users customize their assistant's prompt template. The attacker submits a template string such as 'Answer: {query.__class__.__init__.__globals__[os].environ[OPENAI_API_KEY]}' through the UI. Because DictPromptTemplate skips attribute-access validation, LangChain accepts the template without rejection. When a legitimate query is processed, Python's str.format() resolves the chained attribute traversal at runtime, injecting the application's OpenAI API key directly into the formatted prompt. The key appears in LLM context, application logs, or is returned in the response — giving the attacker valid credentials to the AI backend at zero cost.

Weaknesses (CWE)

CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine Primary

CWE-1336 — Improper Neutralization of Special Elements Used in a Template Engine: The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.

[Architecture and Design] Choose a template engine that offers a sandbox or restricted mode, or at least limits the power of any available expressions, function calls, or commands.
[Implementation] Use the template engine's sandbox or restricted mode, if available.

Source: MITRE CWE corpus.