CVE-2026-44843: LangChain deserialization poisons LLM

Q: Is CVE-2026-44843 actively exploited?

No confirmed active exploitation of CVE-2026-44843 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-44843?

1. PATCH: Upgrade langchain-core to 1.3.3 or later — fixes both the broad allowed_objects deserialization default and the _is_lc_secret marker bypass. 2. MIGRATE: Replace RunnableWithMessageHistory with LangGraph memory primitives; replace astream_log() and astream_events(version='v1') with the current stream() API as directed by LangChain deprecation guidance. 3. INPUT VALIDATION: Enforce strict schema validation coercing all user input to plain strings or typed message-content schemas before invoking any LangChain API — this is the most effective compensating control if patching is delayed. 4. AUDIT LOAD/LOADS USAGE: Search codebases for calls to load() and loads(); ensure they receive only trusted manifests from controlled storage, never request bodies, tool inputs, or chat messages. Restrict allowed_objects to the minimum necessary set for the specific manifest being loaded. 5. DETECTION: Alert on inbound requests containing JSON keys 'lc', 'type': 'constructor', and 'id' at WAF or application ingress. Review LangChain call traces for unexpected object instantiation patterns. Monitor shared prompt stores and Hub artifacts for unexpected constructor-type entries.

Q: What systems are affected by CVE-2026-44843?

This vulnerability affects the following AI/ML architecture patterns: Conversational AI and chatbot backends, Agent frameworks with session memory, LLM application backends using LangChain streaming APIs, RAG pipelines using astream_log or astream_events, Applications using LangChain serialization stores or Hub artifacts.

Q: What is the CVSS score for CVE-2026-44843?

CVE-2026-44843 has a CVSS v3.1 base score of 8.2 (HIGH). The EPSS exploitation probability is 0.41%.

CISO Take

CVE-2026-44843 is a CWE-502 unsafe deserialization flaw in langchain-core that allows attackers to inject crafted LangChain constructor payloads into applications accepting unvalidated structured input — turning trusted LangChain code paths into object instantiation primitives controlled by the attacker. With 4,317 downstream dependents and a CVSS 8.2 score, blast radius is exceptionally broad across the LangChain ecosystem; any chatbot, agent, or RAG pipeline using RunnableWithMessageHistory, astream_log(), or astream_events(v1) without enforcing strict input schemas is exposed. No public exploit exists and it is absent from CISA KEV, but the attack primitive is fully documented in the public advisory, significantly lowering the bar for exploitation against unpatched deployments. Patch to langchain-core 1.3.3 immediately; if patching is delayed, enforce schema validation that coerces all user input to plain strings or typed message-content fields before any LangChain API call.

Sources: NVD GitHub Advisory ATLAS OpenSSF CISA KEV

What is the risk?

CVSS 8.2 with network-accessible attack vector, low complexity, no privileges required, and no user interaction — worst-case exploitation conditions short of active KEV listing. The multi-step exploitation chain (unvalidated structured input must reach a broad deserialization path) limits trivially automated mass exploitation, but this is a realistic condition for any chatbot or API proxy that forwards raw JSON to LangChain. With 4,317 downstream dependents and a package risk score of 22/100 (elevated for this ecosystem tier), exposure is substantial. OpenSSF scorecard of 6.5/10 reflects moderate security posture. The related _is_lc_secret bypass widens the deserialization surface further during dumps()/loads() round-trips. Primary risk is silent, persistent prompt injection that compromises AI system behavior across all future interactions in affected sessions — an impact that can persist long after the initial exploit window closes.

How does the attack unfold?

Input Injection

Attacker submits a crafted JSON payload containing a LangChain constructor dictionary (keys: lc, type, id, kwargs targeting SystemMessage or AIMessage) to a public-facing application endpoint accepting structured user input.

AML.T0049

Payload Propagation

Application forwards unsanitized input directly to RunnableWithMessageHistory, astream_log(), or astream_events(v1) without schema validation, preserving attacker-controlled nested dictionaries intact in LangChain run data.

AML.T0093

Deserialization Exploitation

LangChain's broad load() call with allowed_objects='all' instantiates the attacker-specified message class with untrusted constructor arguments rather than treating the payload as inert user content.

AML.T0010.001

Persistent Context Poisoning

Revived attacker-controlled message objects stored by RunnableWithMessageHistory are injected into all future LLM context windows for the affected session, enabling silent persistent prompt injection across all subsequent model interactions.

AML.T0080.001

Input Injection

Attacker submits a crafted JSON payload containing a LangChain constructor dictionary (keys: lc, type, id, kwargs targeting SystemMessage or AIMessage) to a public-facing application endpoint accepting structured user input.

AML.T0049

Payload Propagation

Application forwards unsanitized input directly to RunnableWithMessageHistory, astream_log(), or astream_events(v1) without schema validation, preserving attacker-controlled nested dictionaries intact in LangChain run data.

AML.T0093

Deserialization Exploitation

LangChain's broad load() call with allowed_objects='all' instantiates the attacker-specified message class with untrusted constructor arguments rather than treating the payload as inert user content.

AML.T0010.001

Persistent Context Poisoning

Revived attacker-controlled message objects stored by RunnableWithMessageHistory are injected into all future LLM context windows for the affected session, enabling silent persistent prompt injection across all subsequent model interactions.

AML.T0080.001

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
LangChain	pip	—	No patch
139.8K OpenSSF 5.9 2.7K dependents Pushed 2d ago 24% patched ~156d to patch Full package profile →
LangChain Community	pip	—	No patch
139.8K OpenSSF 5.9 1.2K dependents Pushed 2d ago 57% patched ~48d to patch Full package profile →
LangChain Core	pip	>= 1.0.0, <= 1.3.2	`1.3.3`
139.8K OpenSSF 5.9 4.8K dependents Pushed 2d ago 78% patched ~23d to patch Full package profile →

How severe is it?

CVSS 3.1

8.2 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 32% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I Low

A None

What should I do?

5 steps

PATCH

Upgrade langchain-core to 1.3.3 or later — fixes both the broad allowed_objects deserialization default and the _is_lc_secret marker bypass.
MIGRATE

Replace RunnableWithMessageHistory with LangGraph memory primitives; replace astream_log() and astream_events(version='v1') with the current stream() API as directed by LangChain deprecation guidance.
INPUT VALIDATION

Enforce strict schema validation coercing all user input to plain strings or typed message-content schemas before invoking any LangChain API — this is the most effective compensating control if patching is delayed.
AUDIT LOAD/LOADS USAGE: Search codebases for calls to load() and loads(); ensure they receive only trusted manifests from controlled storage, never request bodies, tool inputs, or chat messages. Restrict allowed_objects to the minimum necessary set for the specific manifest being loaded.
DETECTION

Alert on inbound requests containing JSON keys 'lc', 'type': 'constructor', and 'id' at WAF or application ingress. Review LangChain call traces for unexpected object instantiation patterns. Monitor shared prompt stores and Hub artifacts for unexpected constructor-type entries.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Prompt Injection Code Execution Supply Chain Framework Agent AML.T0010.001 - AI Software AML.T0049 - Exploit Public-Facing Application AML.T0080.000 - Memory AML.T0080.001 - Thread AML.T0093 - Prompt Infiltration via Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - Data for AI systems A.8.4 - AI system technical security controls

NIST AI RMF

GOVERN-6.2 - Policies and procedures for AI risk MANAGE-2.4 - Residual risks and impacts from AI

OWASP LLM Top 10

LLM01:2025 - Prompt Injection LLM02:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-44843?

CVE-2026-44843 is a CWE-502 unsafe deserialization flaw in langchain-core that allows attackers to inject crafted LangChain constructor payloads into applications accepting unvalidated structured input — turning trusted LangChain code paths into object instantiation primitives controlled by the attacker. With 4,317 downstream dependents and a CVSS 8.2 score, blast radius is exceptionally broad across the LangChain ecosystem; any chatbot, agent, or RAG pipeline using RunnableWithMessageHistory, astream_log(), or astream_events(v1) without enforcing strict input schemas is exposed. No public exploit exists and it is absent from CISA KEV, but the attack primitive is fully documented in the public advisory, significantly lowering the bar for exploitation against unpatched deployments. Patch to langchain-core 1.3.3 immediately; if patching is delayed, enforce schema validation that coerces all user input to plain strings or typed message-content fields before any LangChain API call.

Is CVE-2026-44843 actively exploited?

No confirmed active exploitation of CVE-2026-44843 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-44843?

1. PATCH: Upgrade langchain-core to 1.3.3 or later — fixes both the broad allowed_objects deserialization default and the _is_lc_secret marker bypass. 2. MIGRATE: Replace RunnableWithMessageHistory with LangGraph memory primitives; replace astream_log() and astream_events(version='v1') with the current stream() API as directed by LangChain deprecation guidance. 3. INPUT VALIDATION: Enforce strict schema validation coercing all user input to plain strings or typed message-content schemas before invoking any LangChain API — this is the most effective compensating control if patching is delayed. 4. AUDIT LOAD/LOADS USAGE: Search codebases for calls to load() and loads(); ensure they receive only trusted manifests from controlled storage, never request bodies, tool inputs, or chat messages. Restrict allowed_objects to the minimum necessary set for the specific manifest being loaded. 5. DETECTION: Alert on inbound requests containing JSON keys 'lc', 'type': 'constructor', and 'id' at WAF or application ingress. Review LangChain call traces for unexpected object instantiation patterns. Monitor shared prompt stores and Hub artifacts for unexpected constructor-type entries.

What systems are affected by CVE-2026-44843?

This vulnerability affects the following AI/ML architecture patterns: Conversational AI and chatbot backends, Agent frameworks with session memory, LLM application backends using LangChain streaming APIs, RAG pipelines using astream_log or astream_events, Applications using LangChain serialization stores or Hub artifacts.

What is the CVSS score for CVE-2026-44843?

CVE-2026-44843 has a CVSS v3.1 base score of 8.2 (HIGH). The EPSS exploitation probability is 0.41%.

What is the AI security impact?

Affected AI Architectures

Conversational AI and chatbot backendsAgent frameworks with session memoryLLM application backends using LangChain streaming APIsRAG pipelines using astream_log or astream_eventsApplications using LangChain serialization stores or Hub artifacts

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0049 Exploit Public-Facing Application

AML.T0080.000 Memory

AML.T0080.001 Thread

AML.T0093 Prompt Infiltration via Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.6, A.8.4

NIST AI RMF: GOVERN-6.2, MANAGE-2.4

OWASP LLM Top 10: LLM01:2025, LLM02:2025

What are the technical details?

Original Advisory

LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.85 and 1.3.3, LangChain contains older runtime code paths that deserialize run inputs, run outputs, or other application-controlled payloads using overly broad object allowlists. These paths may call load() with allowed_objects="all". This does not enable arbitrary Python object deserialization, but it does allow any trusted LangChain-serializable object to be revived, which is broader than these runtime paths require. As a result, attacker-supplied LangChain serialized constructor dictionaries may cause trusted runtime paths to instantiate classes with untrusted constructor arguments. This vulnerability is fixed in 0.3.85 and 1.3.3.

Exploitation Scenario

An attacker targeting a production customer service chatbot built on LangChain submits a crafted JSON body to the chat API: the message field contains a nested dictionary with keys lc, type, id pointing to SystemMessage, and kwargs containing injected instructions. The application, which proxies user messages directly to RunnableWithMessageHistory without coercing them to plain strings, preserves the nested dictionary in the LangChain run inputs. LangChain's broad load() call with allowed_objects='all' revives the attacker-specified SystemMessage and stores it in the session's persistent history. All subsequent LLM calls for that session — and any session sharing that history store — now include the attacker's injected system-level instructions in the model context, enabling persistent prompt injection: bypassing content policies, redirecting the assistant's persona, or exfiltrating subsequent user inputs through manipulated model responses. The attack is silent, requires no elevated privileges, and persists across server restarts as long as the poisoned history remains in the store.

Weaknesses (CWE)

CWE-502 Deserialization of Untrusted Data Primary CWE-502 Deserialization of Untrusted Data Primary

CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

[Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
[Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Source: MITRE CWE corpus.