CVE-2026-7847: LangChain predictable file IDs leak

Q: Is CVE-2026-7847 actively exploited?

No confirmed active exploitation of CVE-2026-7847 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-7847?

1. No upstream patch is available for versions <= 0.3.1.3 — evaluate whether deployment can be isolated or suspended until patched. 2. Restrict API access to the minimum required network scope; enforce network segmentation to prevent adjacent access from untrusted hosts. 3. Apply a local code patch to replace the _get_file_id implementation in openai_routes.py with Python's secrets.token_urlsafe() or os.urandom(32).hex() for cryptographically secure ID generation. 4. Add server-side access control to validate that the requesting user matches the original file uploader before returning file content. 5. Audit server logs for sequential or patterned file ID access attempts as an indicator of active exploitation. 6. Pin the dependency and subscribe to upstream releases for a patch.

Q: What systems are affected by CVE-2026-7847?

This vulnerability affects the following AI/ML architecture patterns: LLM chat applications, document upload and processing pipelines, RAG pipelines, agent frameworks.

Q: What is the CVSS score for CVE-2026-7847?

CVE-2026-7847 has a CVSS v3.1 base score of 2.6 (LOW). The EPSS exploitation probability is 0.24%.

CISO Take

Langchain-Chatchat's file upload handler generates file IDs using an insufficiently random algorithm (CWE-330), allowing an adjacent-network attacker with low-privilege credentials to predict and enumerate IDs to access files uploaded by other users. Despite a CVSS score of 2.6, the EPSS places this vulnerability in the top 94th percentile for exploitation likelihood, a public PoC writeup exists on GitHub, and critically there is no patch for versions up to 0.3.1.3. With 2,603 downstream dependents, a package risk score of 77/100, and 48 historical CVEs in the same package, this reflects a pattern of structural security debt in a widely-deployed LLM framework. Until a patch is released, isolate the application to trusted internal networks, enforce strict API authentication, and audit access logs for anomalous sequential file ID requests.

Sources: NVD EPSS GitHub Advisory OpenSSF ATLAS

What is the risk?

Practical risk meaningfully exceeds the CVSS 2.6 rating. No upstream patch exists. The researcher PoC is publicly documented and referenced in the GitHub issue tracker. In multi-user or enterprise LLM chat deployments where users upload sensitive documents, the blast radius is significant. The adjacent-network and high-complexity constraints are real mitigations for internet-exposed deployments but are routinely satisfied inside corporate networks or shared cloud tenancies. The package's history of 48 CVEs and 77/100 risk score indicates systemic security hygiene concerns that warrant deeper review beyond this single finding.

How does the attack unfold?

Initial Access

Attacker with low-privilege credentials connects to the Langchain-Chatchat API from an adjacent network position (internal network, VPN, or shared cloud tenant).

AML.T0049

ID Enumeration

Attacker uploads a test file and analyzes the returned file ID to reverse-engineer the weak PRNG pattern used by _get_file_id.

AML.T0006

File Access

Attacker iterates over predicted file IDs, issuing HTTP requests to retrieve files uploaded by other users without authorization.

AML.T0037

Data Exfiltration

Uploaded documents containing confidential business content, PII, or RAG source data are retrieved and exfiltrated outside the organization.

AML.T0025

Initial Access

Attacker with low-privilege credentials connects to the Langchain-Chatchat API from an adjacent network position (internal network, VPN, or shared cloud tenant).

AML.T0049

ID Enumeration

Attacker uploads a test file and analyzes the returned file ID to reverse-engineer the weak PRNG pattern used by _get_file_id.

AML.T0006

File Access

Attacker iterates over predicted file IDs, issuing HTTP requests to retrieve files uploaded by other users without authorization.

AML.T0037

Data Exfiltration

Uploaded documents containing confidential business content, PII, or RAG source data are retrieved and exfiltrated outside the organization.

AML.T0025

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
LangChain	pip	<= 0.3.1.3	No patch
139.8K OpenSSF 5.9 2.7K dependents Pushed 2d ago 24% patched ~156d to patch Full package profile →

Do you use LangChain? You're affected.

How severe is it?

CVSS 3.1

2.6 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 14% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Adjacent

AC High

PR Low

UI None

S Unchanged

C Low

I None

A None

What should I do?

6 steps

No upstream patch is available for versions <= 0.3.1.3 — evaluate whether deployment can be isolated or suspended until patched.
Restrict API access to the minimum required network scope; enforce network segmentation to prevent adjacent access from untrusted hosts.
Apply a local code patch to replace the _get_file_id implementation in openai_routes.py with Python's secrets.token_urlsafe() or os.urandom(32).hex() for cryptographically secure ID generation.
Add server-side access control to validate that the requesting user matches the original file uploader before returning file content.
Audit server logs for sequential or patterned file ID access attempts as an indicator of active exploitation.
Pin the dependency and subscribe to upstream releases for a patch.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Privacy Violation Framework API AML.T0006 - Active Scanning AML.T0025 - Exfiltration via Cyber Means AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.6.2.6 - Cryptographic controls

NIST AI RMF

MANAGE 2.2 - Countermeasures and safeguards are developed and deployed

OWASP LLM Top 10

LLM06:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-7847?

Langchain-Chatchat's file upload handler generates file IDs using an insufficiently random algorithm (CWE-330), allowing an adjacent-network attacker with low-privilege credentials to predict and enumerate IDs to access files uploaded by other users. Despite a CVSS score of 2.6, the EPSS places this vulnerability in the top 94th percentile for exploitation likelihood, a public PoC writeup exists on GitHub, and critically there is no patch for versions up to 0.3.1.3. With 2,603 downstream dependents, a package risk score of 77/100, and 48 historical CVEs in the same package, this reflects a pattern of structural security debt in a widely-deployed LLM framework. Until a patch is released, isolate the application to trusted internal networks, enforce strict API authentication, and audit access logs for anomalous sequential file ID requests.

Is CVE-2026-7847 actively exploited?

No confirmed active exploitation of CVE-2026-7847 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-7847?

1. No upstream patch is available for versions <= 0.3.1.3 — evaluate whether deployment can be isolated or suspended until patched. 2. Restrict API access to the minimum required network scope; enforce network segmentation to prevent adjacent access from untrusted hosts. 3. Apply a local code patch to replace the _get_file_id implementation in openai_routes.py with Python's secrets.token_urlsafe() or os.urandom(32).hex() for cryptographically secure ID generation. 4. Add server-side access control to validate that the requesting user matches the original file uploader before returning file content. 5. Audit server logs for sequential or patterned file ID access attempts as an indicator of active exploitation. 6. Pin the dependency and subscribe to upstream releases for a patch.

What systems are affected by CVE-2026-7847?

This vulnerability affects the following AI/ML architecture patterns: LLM chat applications, document upload and processing pipelines, RAG pipelines, agent frameworks.

What is the CVSS score for CVE-2026-7847?

CVE-2026-7847 has a CVSS v3.1 base score of 2.6 (LOW). The EPSS exploitation probability is 0.24%.

What is the AI security impact?

Affected AI Architectures

LLM chat applicationsdocument upload and processing pipelinesRAG pipelinesagent frameworks

MITRE ATLAS Techniques

AML.T0006 Active Scanning

AML.T0025 Exfiltration via Cyber Means

AML.T0037 Data from Local System

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: A.6.2.6

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

A vulnerability was found in chatchat-space Langchain-Chatchat up to 0.3.1.3. The affected element is the function _get_file_id of the file libs/chatchat-server/chatchat/server/api_server/openai_routes.py of the component Uploaded File Handler. Performing a manipulation results in insufficiently random values. Access to the local network is required for this attack. The attack's complexity is rated as high. The exploitability is described as difficult. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.

Exploitation Scenario

An attacker with access to the internal network — via a compromised endpoint, shared cloud environment, or malicious insider — authenticates to the Langchain-Chatchat API with any low-privilege account. They upload a test file and observe the returned file ID. By analyzing the ID structure (predictable due to a weak PRNG), they derive the generation algorithm and enumerate forward and backward in the ID space. HTTP requests using enumerated IDs return files uploaded by other users. Sensitive documents submitted for private RAG sessions — contracts, HR records, financial data — are retrieved without authorization.

Weaknesses (CWE)

CWE-310 Primary CWE-330 Use of Insufficiently Random Values Primary CWE-330 Use of Insufficiently Random Values Primary

CWE-330 — Use of Insufficiently Random Values: The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

[Architecture and Design] Use a well-vetted algorithm that is currently considered to be strong by experts in the field, and select well-tested implementations with adequate length seeds. In general, if a pseudo-random number generator is not advertised as being cryptographically secure, then it is probably a statistical PRNG and should not be used in security-sensitive contexts. Pseudo-random number generators can produce predictable numbers if the generator is known and the seed can be guessed. A 256-bit seed is a good starting point for producing a "random enough" number.
[Implementation] Consider a PRNG that re-seeds itself as needed from high quality pseudo-random output sources, such as hardware devices.

Source: MITRE CWE corpus.