AI Threat Alert

CVE-2026-7845: Langchain-Chatchat: weak image hash allows integrity bypass

GHSA-wmvv-fhm6-w34x LOW CISA: TRACK*
Published May 5, 2026
CISO Take

Langchain-Chatchat's vision chat paste image handler uses PIL.Image.tobytes() as a weak hashing primitive (CWE-327/328), enabling hash-collision attacks against image data flowing into multimodal LLM conversations. Despite a low CVSS of 2.6, the exploit has been publicly published and no patch exists for versions ≤ 0.3.1.3, leaving 2,603 downstream dependents exposed with a package risk score of 77/100 — a notably poor security posture for a package carrying 48 prior CVEs. The EPSS score of 0.00013 indicates low near-term exploitation probability in the wild, but the vendor has not responded to coordinated disclosure (GitHub issue #5462), meaning the attack surface remains unmitigated indefinitely. Until a fix is released, disable the paste image feature in dialogue.py and enforce network segmentation to restrict adjacent-network access to the service.

Sources: NVD EPSS GitHub Advisory ATLAS OpenSSF

What is the risk?

Inherent risk is low per CVSS 2.6 — constrained by high attack complexity, adjacent-network-only vector, and limited impact (integrity only, no confidentiality or availability). Practical risk is elevated by three compounding factors: no patch exists, a proof-of-concept exploit is publicly available, and the package's history of 48 CVEs reflects a weak security posture. Organizations running Langchain-Chatchat on shared or semi-trusted networks with vision chat enabled should apply compensating controls immediately rather than waiting for a vendor response that may not come.

How does the attack unfold?

Reconnaissance
Attacker identifies a Langchain-Chatchat instance (≤ 0.3.1.3) on the local network with vision chat enabled and reviews the published PoC exploit for the PIL.Image.tobytes() hash collision.
AML.T0001
Adversarial Image Crafting
Adversary generates two distinct images that produce an identical hash under the weak PIL.Image.tobytes() primitive, exploiting the CWE-327/328 broken cryptographic algorithm weakness.
AML.T0043.003
Paste Handler Exploitation
Attacker submits the collision image pair through the vision chat paste interface in dialogue.py, causing the application to treat the adversarial image as equivalent to the validated benign image.
AML.T0049
Multimodal Integrity Violation
The LLM receives attacker-substituted image content as its multimodal input, corrupting inference integrity and potentially producing manipulated or misleading model outputs.
AML.T0043

What systems are affected?

Package Ecosystem Vulnerable Range Patched
LangChain pip <= 0.3.1.3 No patch
139.8K OpenSSF 5.9 2.7K dependents Pushed 2d ago 24% patched ~156d to patch Full package profile →

Do you use LangChain? You're affected.

How severe is it?

CVSS 3.1
2.6 / 10
EPSS
0.1%
chance of exploitation in 30 days
Higher than 4% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
CISA SSVC: Public PoC
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Adjacent
AC High
PR Low
UI None
S Unchanged
C None
I Low
A None

What should I do?

6 steps

  1. No patch is available for langchain-chatchat ≤ 0.3.1.3 — monitor GitHub issue #5462 and GHSA-wmvv-fhm6-w34x for remediation updates.

  2. Disable or gate the Vision Chat paste image feature in webui_pages/dialogue/dialogue.py until patched.

  3. Enforce network segmentation to prevent adjacent-network access to the Langchain-Chatchat service from untrusted hosts.

  4. If modifying source is feasible, replace PIL.Image.tobytes() with hashlib.sha256() for image identity hashing.

  5. Audit any downstream applications embedding langchain-chatchat as a dependency and assess their vision chat exposure.

  6. Add the package to your software inventory for priority patching once a fix is released.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Adversarial Examples Supply Chain Framework Inference AML.T0001 AML.T0010.001 AML.T0043.003 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - System and data security
NIST AI RMF
MANAGE 2.2 - Mechanisms to neutralize identified AI risks
OWASP LLM Top 10
LLM03 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-7845?

Langchain-Chatchat's vision chat paste image handler uses PIL.Image.tobytes() as a weak hashing primitive (CWE-327/328), enabling hash-collision attacks against image data flowing into multimodal LLM conversations. Despite a low CVSS of 2.6, the exploit has been publicly published and no patch exists for versions ≤ 0.3.1.3, leaving 2,603 downstream dependents exposed with a package risk score of 77/100 — a notably poor security posture for a package carrying 48 prior CVEs. The EPSS score of 0.00013 indicates low near-term exploitation probability in the wild, but the vendor has not responded to coordinated disclosure (GitHub issue #5462), meaning the attack surface remains unmitigated indefinitely. Until a fix is released, disable the paste image feature in dialogue.py and enforce network segmentation to restrict adjacent-network access to the service.

Is CVE-2026-7845 actively exploited?

No confirmed active exploitation of CVE-2026-7845 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-7845?

1. No patch is available for langchain-chatchat ≤ 0.3.1.3 — monitor GitHub issue #5462 and GHSA-wmvv-fhm6-w34x for remediation updates. 2. Disable or gate the Vision Chat paste image feature in webui_pages/dialogue/dialogue.py until patched. 3. Enforce network segmentation to prevent adjacent-network access to the Langchain-Chatchat service from untrusted hosts. 4. If modifying source is feasible, replace PIL.Image.tobytes() with hashlib.sha256() for image identity hashing. 5. Audit any downstream applications embedding langchain-chatchat as a dependency and assess their vision chat exposure. 6. Add the package to your software inventory for priority patching once a fix is released.

What systems are affected by CVE-2026-7845?

This vulnerability affects the following AI/ML architecture patterns: Multimodal LLM chat interfaces, Vision-enabled LLM application frameworks, Self-hosted LLM deployments with adjacent network exposure, Enterprise knowledge assistants with image paste capabilities.

What is the CVSS score for CVE-2026-7845?

CVE-2026-7845 has a CVSS v3.1 base score of 2.6 (LOW). The EPSS exploitation probability is 0.14%.

What is the AI security impact?

Affected AI Architectures

Multimodal LLM chat interfacesVision-enabled LLM application frameworksSelf-hosted LLM deployments with adjacent network exposureEnterprise knowledge assistants with image paste capabilities

MITRE ATLAS Techniques

AML.T0001 Search Open AI Vulnerability Analysis
AML.T0010.001 AI Software
AML.T0043.003 Manual Modification
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: A.6.2.6
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM03

What are the technical details?

Original Advisory

A flaw has been found in chatchat-space Langchain-Chatchat up to 0.3.1.3. This issue affects the function PIL.Image.tobytes of the file libs/chatchat-server/chatchat/webui_pages/dialogue/dialogue.py of the component Vision Chat Paste Image Handler. This manipulation of the argument paste_image.image_data causes use of weak hash. The attacker needs to be present on the local network. The attack is considered to have high complexity. The exploitability is assessed as difficult. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Exploitation Scenario

An attacker with low-privilege credentials on the same network segment as a Langchain-Chatchat instance reviews the published PoC exploit for the PIL.Image.tobytes() hash collision weakness. The attacker generates two distinct images — one benign, one carrying adversarial visual content — that produce an identical hash under the vulnerable function. Using the vision chat paste interface, the attacker first submits the benign image to establish a validated or cached state in the system. Exploiting the hash collision, the attacker then pastes the adversarial image, which maps to the same hash value and is treated by the application as equivalent to the previously accepted benign image. The LLM receives the substituted adversarial image as its multimodal input, potentially producing manipulated or misleading outputs without triggering any integrity alert.

Weaknesses (CWE)

CWE-327 Use of a Broken or Risky Cryptographic Algorithm Primary CWE-327 Use of a Broken or Risky Cryptographic Algorithm Primary CWE-328 Use of Weak Hash Primary

CWE-327 — Use of a Broken or Risky Cryptographic Algorithm: The product uses a broken or risky cryptographic algorithm or protocol.

  • [Architecture and Design] When there is a need to store or transmit sensitive data, use strong, up-to-date cryptographic algorithms to encrypt that data. Select a well-vetted algorithm that is currently considered to be strong by experts in the field, and use well-tested implementations. As with all cryptographic mechanisms, the source code should be available for analysis. For example, US government systems require FIPS 140-2 certification [REF-1192]. Do not develop custom or private cryptographic algorithms. They will likely be exposed to attacks that are well-understood by cryptographers. Reverse engineering techniques are mature. If the algorithm can be compromised if attackers find out how it works, then it is especially weak. Periodically ensure that the cryptography has not become obsolete. Some older algorithms, once thought to require a billion years of computing time, can now be broken in days or hours. This includes MD4, MD5, SHA1, DES, and other algorithms that were once regarded as strong. [REF-267
  • [Architecture and Design] Ensure that the design allows one cryptographic algorithm to be replaced with another in the next generation or version. Where possible, use wrappers to make the interfaces uniform. This will make it easier to upgrade to stronger algorithms. With hardware, design the product at the Intellectual Property (IP) level so that one cryptographic algorithm can be replaced with another in the next generation of the hardware product.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

References

Timeline

Published
May 5, 2026
Last Modified
May 8, 2026
First Seen
May 5, 2026

Related Vulnerabilities

CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same package: langchain
CRITICAL CVE-2023-34541 9.8

LangChain: RCE via unsafe load_prompt deserialization

Same package: langchain
CRITICAL CVE-2023-29374 9.8

LangChain: RCE via prompt injection in LLMMathChain

Same package: langchain
CRITICAL CVE-2023-34540 9.8

LangChain: RCE via JiraAPIWrapper crafted input

Same package: langchain
CRITICAL CVE-2023-36258 9.8

LangChain: unauthenticated RCE via code injection

Same package: langchain
Back to Threat Feed