AI Threat Alert

CVE-2026-7846: Langchain-Chatchat: TOCTOU race allows silent file overwrite

GHSA-x229-w2j4-h748 LOW PoC AVAILABLE CISA: TRACK*
Published May 5, 2026
CISO Take

Langchain-Chatchat's OpenAI-compatible file upload API contains a time-of-check time-of-use race condition (CWE-367) in its filename handling logic, enabling a low-privileged attacker on the same network segment to silently overwrite files in the application's knowledge base. While the CVSS score is low at 2.6 and exploitation requires adjacent network access with high complexity, the package carries a risk score of 77/100, has 2,603 downstream dependents, and has accumulated 48 CVEs — signaling systemic security debt rather than an isolated flaw. No patch is available and the maintainer has not responded to the responsible disclosure, leaving all deployed instances permanently exposed with no vendor remediation path in sight. Immediately restrict file upload API access to trusted internal hosts via network controls, enable filesystem integrity monitoring on the knowledge base directory, and evaluate migration to a maintained alternative RAG framework.

Sources: NVD EPSS GitHub Advisory OpenSSF ATLAS

What is the risk?

CVSS 2.6 understates operational risk for AI deployments. The adjacent-network attack vector is a real barrier in public internet contexts, but Langchain-Chatchat is predominantly deployed in intranet and enterprise environments where adjacent-network access is achievable by any compromised internal host or insider. High attack complexity applies to triggering the race window reliably, not to accessing the API itself. With no patch, an unresponsive maintainer, a package risk score of 77/100, and 48 prior CVEs, this represents a long-tail exposure risk for organizations running document Q&A or RAG pipelines. The primary consequence — silent knowledge base poisoning — is particularly dangerous because it produces no security alerts and may go undetected for extended periods while quietly corrupting LLM responses.

How does the attack unfold?

Initial Access
Attacker with low-privilege credentials accesses the Langchain-Chatchat OpenAI-compatible file upload API from an adjacent network position such as an internal host, VPN endpoint, or compromised service account.
AML.T0049
Race Condition Exploitation
Attacker fires concurrent file upload requests, timing a malicious payload to land in the TOCTOU window between filename validation and final file write, silently substituting a legitimate document with adversarial content.
AML.T0049
Knowledge Base Poisoning
The overwritten file is ingested by the RAG pipeline on the next sync cycle, injecting attacker-controlled content into the retrieval index with no integrity check triggered and no audit alert generated.
AML.T0070
LLM Response Manipulation
Users querying the chatbot receive responses that retrieve and incorporate the poisoned document content, producing attacker-influenced outputs with no visible indicator that the knowledge base has been compromised.
AML.T0020

What systems are affected?

Package Ecosystem Vulnerable Range Patched
LangChain pip <= 0.3.1.3 No patch
139.8K OpenSSF 5.9 2.7K dependents Pushed 2d ago 24% patched ~156d to patch Full package profile →

Do you use LangChain? You're affected.

How severe is it?

CVSS 3.1
2.6 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 6% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Adjacent
AC High
PR Low
UI None
S Unchanged
C None
I Low
A None

What should I do?

7 steps

  1. No upstream patch available — monitor the GitHub issue (#5463) and maintainer response; consider forking or pinning to a reviewed commit.

  2. Restrict file upload API endpoints to allowlisted trusted source IPs via firewall or reverse proxy rules.

  3. Deploy filesystem integrity monitoring (AIDE, Wazuh, or equivalent) on the Langchain-Chatchat knowledge base directory to detect unauthorized file modifications.

  4. Require cryptographic checksums or hash verification of uploaded documents before ingestion into the knowledge base.

  5. Audit existing knowledge base files against known-good hashes to detect prior silent overwrites.

  6. Enforce sequential (non-concurrent) file upload processing at the application or proxy layer to eliminate the TOCTOU window as a compensating control.

  7. Evaluate migration to a maintained RAG framework with an active security response process.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Supply Chain Model Poisoning API RAG Framework AML.T0010.001 AML.T0020 AML.T0049 AML.T0070

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.5 - AI system data quality A.9.7 - AI system security
NIST AI RMF
MANAGE 2.2 - Mechanisms to address AI risks
OWASP LLM Top 10
LLM03 - Training Data Poisoning

Frequently Asked Questions

What is CVE-2026-7846?

Langchain-Chatchat's OpenAI-compatible file upload API contains a time-of-check time-of-use race condition (CWE-367) in its filename handling logic, enabling a low-privileged attacker on the same network segment to silently overwrite files in the application's knowledge base. While the CVSS score is low at 2.6 and exploitation requires adjacent network access with high complexity, the package carries a risk score of 77/100, has 2,603 downstream dependents, and has accumulated 48 CVEs — signaling systemic security debt rather than an isolated flaw. No patch is available and the maintainer has not responded to the responsible disclosure, leaving all deployed instances permanently exposed with no vendor remediation path in sight. Immediately restrict file upload API access to trusted internal hosts via network controls, enable filesystem integrity monitoring on the knowledge base directory, and evaluate migration to a maintained alternative RAG framework.

Is CVE-2026-7846 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-7846, increasing the risk of exploitation.

How to fix CVE-2026-7846?

1. No upstream patch available — monitor the GitHub issue (#5463) and maintainer response; consider forking or pinning to a reviewed commit. 2. Restrict file upload API endpoints to allowlisted trusted source IPs via firewall or reverse proxy rules. 3. Deploy filesystem integrity monitoring (AIDE, Wazuh, or equivalent) on the Langchain-Chatchat knowledge base directory to detect unauthorized file modifications. 4. Require cryptographic checksums or hash verification of uploaded documents before ingestion into the knowledge base. 5. Audit existing knowledge base files against known-good hashes to detect prior silent overwrites. 6. Enforce sequential (non-concurrent) file upload processing at the application or proxy layer to eliminate the TOCTOU window as a compensating control. 7. Evaluate migration to a maintained RAG framework with an active security response process.

What systems are affected by CVE-2026-7846?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, LLM-powered knowledge bases, document Q&A systems, agent frameworks with file tools, enterprise chatbot deployments.

What is the CVSS score for CVE-2026-7846?

CVE-2026-7846 has a CVSS v3.1 base score of 2.6 (LOW). The EPSS exploitation probability is 0.16%.

What is the AI security impact?

Affected AI Architectures

RAG pipelinesLLM-powered knowledge basesdocument Q&A systemsagent frameworks with file toolsenterprise chatbot deployments

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0020 Poison Training Data
AML.T0049 Exploit Public-Facing Application
AML.T0070 RAG Poisoning

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.5, A.9.7
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM03

What are the technical details?

Original Advisory

A vulnerability has been found in chatchat-space Langchain-Chatchat up to 0.3.1.3. Impacted is the function files of the file libs/chatchat-server/chatchat/server/api_server/openai_routes.py of the component OpenAI-Compatible File Upload API. Such manipulation of the argument file.filename leads to time-of-check time-of-use. Access to the local network is required for this attack to succeed. The attack requires a high level of complexity. The exploitability is considered difficult. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Exploitation Scenario

An attacker with low-privilege credentials on the internal network — such as a compromised service account or an insider — fires two concurrent upload requests to the OpenAI-compatible file API. Request A uploads a legitimate document; request B, timed to hit the TOCTOU window between filename validation and the final file write, substitutes a malicious document containing adversarial instructions or disinformation targeted at specific query topics. The file system write completes with the attacker-controlled content, silently replacing a trusted knowledge base document. On the next RAG pipeline sync, the poisoned document is indexed. Users subsequently querying the chatbot receive LLM responses that incorporate attacker-controlled text, with no integrity alert, no audit log entry flagging the overwrite, and no visible sign that the knowledge base has been tampered with.

Weaknesses (CWE)

CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') Primary CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') Primary CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition Primary

CWE-362 — Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition'): The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

  • [Architecture and Design] In languages that support it, use synchronization primitives. Only wrap these around critical code to minimize the impact on performance.
  • [Architecture and Design] Use thread-safe capabilities such as the data access abstraction in Spring.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

References

Timeline

Published
May 5, 2026
Last Modified
May 8, 2026
First Seen
May 5, 2026

Related Vulnerabilities

CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same package: langchain
CRITICAL CVE-2023-34541 9.8

LangChain: RCE via unsafe load_prompt deserialization

Same package: langchain
CRITICAL CVE-2023-29374 9.8

LangChain: RCE via prompt injection in LLMMathChain

Same package: langchain
CRITICAL CVE-2023-34540 9.8

LangChain: RCE via JiraAPIWrapper crafted input

Same package: langchain
CRITICAL CVE-2023-36258 9.8

LangChain: unauthenticated RCE via code injection

Same package: langchain
Back to Threat Feed