CVE-2026-48776: LangChain path traversal bypasses

CISO Take

The LangGraph Python SDK (versions ≤0.3.14) embeds caller-supplied identifier values — thread IDs, assistant IDs, run IDs — directly into HTTP request paths without sanitization, allowing path traversal sequences to redirect requests to unintended LangGraph API resources. The risk is most acute in deployments where end-user input flows directly into SDK identifier parameters and authorization is enforced upstream at a reverse proxy, WAF, or edge gateway based on expected URL prefixes rather than the final delivered path — a common architectural pattern for LangGraph API deployments. With 2,739 downstream dependents, a package risk score of 77/100, and 53 prior CVEs in the same package, the ecosystem exposure is meaningful, though the CVSS AC:H rating (4.2 Medium) reflects that exploitation requires this specific deployment topology; there is no public exploit, no Nuclei template, and the vulnerability is not in CISA KEV. Teams running LangGraph API servers behind proxy-based authorization must upgrade to SDK version 0.3.15 immediately and validate all identifier inputs against a strict UUID format before passing them to the SDK.

Sources: NVD GitHub Advisory ATLAS OpenSSF

What is the risk?

Medium risk (CVSS 4.2, AV:N/AC:H/PR:L). Exploitation requires a specific and verifiable deployment pattern: user-supplied identifiers forwarded to the SDK without validation, combined with upstream prefix-based authorization. In zero-trust environments where authorization decisions are enforced at the API server level rather than the proxy tier, this vulnerability is not exploitable. However, LangGraph's canonical deployment topology — API server behind a reverse proxy or cloud gateway with path-based routing rules — precisely matches the vulnerable pattern. The package's history (53 CVEs, OpenSSF score 6.4/10) suggests systemic security debt, warranting elevated scrutiny beyond this single CVE.

How does the attack unfold?

Initial Access

Low-privilege authenticated user submits a crafted identifier value containing path traversal sequences through a user-facing application that forwards input without validation to the LangGraph Python SDK.

AML.T0049

Path Manipulation

The unpatched LangGraph SDK constructs an HTTP request URL embedding the unsanitized identifier verbatim, producing a path that resolves via normalization to a different resource than the SDK call site indicates.

Authorization Bypass

The upstream reverse proxy or WAF grants the request based on the intended URL prefix matching the user's permissions, without inspecting the manipulated final path that reaches the LangGraph API server.

AML.T0107

Unauthorized Resource Access

The adversary reads, modifies, or deletes LangGraph resources — threads, assistants, runs — outside their authorization scope, with cross-tenant data exposure as the highest-impact outcome in multi-tenant deployments.

AML.T0053

Initial Access

Low-privilege authenticated user submits a crafted identifier value containing path traversal sequences through a user-facing application that forwards input without validation to the LangGraph Python SDK.

AML.T0049

Path Manipulation

The unpatched LangGraph SDK constructs an HTTP request URL embedding the unsanitized identifier verbatim, producing a path that resolves via normalization to a different resource than the SDK call site indicates.

Authorization Bypass

The upstream reverse proxy or WAF grants the request based on the intended URL prefix matching the user's permissions, without inspecting the manipulated final path that reaches the LangGraph API server.

AML.T0107

Unauthorized Resource Access

The adversary reads, modifies, or deletes LangGraph resources — threads, assistants, runs — outside their authorization scope, with cross-tenant data exposure as the highest-impact outcome in multi-tenant deployments.

AML.T0053

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
LangChain	pip	—	No patch
139.2K OpenSSF 6.4 2.7K dependents Pushed 3d ago 23% patched ~165d to patch Full package profile →
LangChain	pip	—	No patch
139.2K OpenSSF 6.4 2.7K dependents Pushed 3d ago 23% patched ~165d to patch Full package profile →
LangGraph	pip	—	No patch
34.7K 3.3K dependents Pushed 3d ago 80% patched ~3d to patch Full package profile →

How severe is it?

CVSS 3.1

4.2 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC High

PR Low

UI None

S Unchanged

C Low

I Low

A None

What should I do?

5 steps

Patch: upgrade langgraph SDK to version 0.3.15 or later — the fix applies sanitization to all identifier values before URL path construction.
Input validation: enforce strict UUID v4 format validation (^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$) on all identifier parameters at the application boundary before passing to the SDK.
Architecture audit: review whether your reverse proxy, WAF, or API gateway makes authorization decisions on the intended path or the final delivered path — if the former, this is your primary risk surface.
Detection: scan LangGraph API server access logs for requests containing ../, %2e%2e, %252e, or double-encoded variants in resource identifier fields.
Scope reduction: if identifiers are generated server-side and never derived from untrusted input, document this as a compensating control while scheduling the upgrade.

How is it classified?

Auth Bypass Data Extraction Framework Agent AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0107 - Exploitation for Defense Evasion

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - AI risk management process

NIST AI RMF

MANAGE 2.4 - Residual risks are managed and monitored

OWASP LLM Top 10

LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-48776?

The LangGraph Python SDK (versions ≤0.3.14) embeds caller-supplied identifier values — thread IDs, assistant IDs, run IDs — directly into HTTP request paths without sanitization, allowing path traversal sequences to redirect requests to unintended LangGraph API resources. The risk is most acute in deployments where end-user input flows directly into SDK identifier parameters and authorization is enforced upstream at a reverse proxy, WAF, or edge gateway based on expected URL prefixes rather than the final delivered path — a common architectural pattern for LangGraph API deployments. With 2,739 downstream dependents, a package risk score of 77/100, and 53 prior CVEs in the same package, the ecosystem exposure is meaningful, though the CVSS AC:H rating (4.2 Medium) reflects that exploitation requires this specific deployment topology; there is no public exploit, no Nuclei template, and the vulnerability is not in CISA KEV. Teams running LangGraph API servers behind proxy-based authorization must upgrade to SDK version 0.3.15 immediately and validate all identifier inputs against a strict UUID format before passing them to the SDK.

Is CVE-2026-48776 actively exploited?

No confirmed active exploitation of CVE-2026-48776 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-48776?

1. Patch: upgrade langgraph SDK to version 0.3.15 or later — the fix applies sanitization to all identifier values before URL path construction. 2. Input validation: enforce strict UUID v4 format validation (`^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$`) on all identifier parameters at the application boundary before passing to the SDK. 3. Architecture audit: review whether your reverse proxy, WAF, or API gateway makes authorization decisions on the intended path or the final delivered path — if the former, this is your primary risk surface. 4. Detection: scan LangGraph API server access logs for requests containing `../`, `%2e%2e`, `%252e`, or double-encoded variants in resource identifier fields. 5. Scope reduction: if identifiers are generated server-side and never derived from untrusted input, document this as a compensating control while scheduling the upgrade.

What systems are affected by CVE-2026-48776?

This vulnerability affects the following AI/ML architecture patterns: Multi-tenant LangGraph API deployments, Agent frameworks with proxy-based authorization, LLM orchestration pipelines behind WAF or API gateways, AI applications with user-supplied resource identifiers.

What is the CVSS score for CVE-2026-48776?

CVE-2026-48776 has a CVSS v3.1 base score of 4.2 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

Multi-tenant LangGraph API deploymentsAgent frameworks with proxy-based authorizationLLM orchestration pipelines behind WAF or API gatewaysAI applications with user-supplied resource identifiers

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2

NIST AI RMF: MANAGE 2.4

OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

LangGraph Python SDK is used to connect to running LangGraph API servers, manage assistants, threads and stream runs from Python applications. Versions 0.3.14 and prior have unsafe URL path construction through unsanitized caller-supplied identifier values used in HTTP request paths for resource operations. Without sanitization of those values, identifiers that contain characters with special meaning in URL paths could cause the resulting request to address a different resource (and potentially a different resource type) than the SDK method's call site indicates. In deployments where the SDK receives identifier values that originate from untrusted sources, this could result in unintended access, modification, or deletion of resources beyond the calling user's authorization scope. This issue is most consequential in deployments that forward end-user-supplied values directly into SDK identifier parameters without first validating them against an expected format (such as a UUID), and rely on URL-prefix-based authorization at an upstream layer (reverse proxy, edge gateway, WAF), where the authorization decision is made on the SDK call's intended path rather than on the final delivered request path. The issue has been fixed in version 0.3.15.

Exploitation Scenario

In a multi-tenant SaaS platform using LangGraph to power per-customer AI assistants, a user submits a thread ID of `my-thread-id/../../other-customer-thread-id` through the application's chat API. The application forwards this value to the LangGraph Python SDK's thread runs endpoint without UUID validation. The SDK constructs the path `/threads/my-thread-id/../../other-customer-thread-id/runs`, which the LangGraph API server normalizes to `/other-customer-thread-id/runs`. The upstream reverse proxy had authorized the request because the user holds a valid session and the initial prefix matched their allowed thread namespace — it evaluated authorization on the intended path, not the traversed destination. The attacker reads the full conversation history of another tenant's AI assistant thread or injects a malicious run into that thread, escalating within the AI orchestration layer without ever triggering conventional IAM controls.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-863 Incorrect Authorization

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.