Langchain
AI Threat Alert tracks 35 known AI/ML vulnerabilities affecting Langchain products — each enriched with CVSS severity, EPSS exploit probability, patch status, and CISO-grade analysis. Browse every Langchain CVE below, sorted by severity and recency.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-25750 | langsmith: security flaw enables exploitation | langsmith | 8.1 |
| CRITICAL | CVE-2023-29374 | LangChain: RCE via prompt injection in LLMMathChain | langchain | 9.8 |
| CRITICAL | CVE-2023-34540 | LangChain: RCE via JiraAPIWrapper crafted input | langchain | 9.8 |
| CRITICAL | CVE-2023-34541 | LangChain: RCE via unsafe load_prompt deserialization | langchain | 9.8 |
| CRITICAL | CVE-2023-36258 | LangChain: unauthenticated RCE via code injection | langchain | 9.8 |
| CRITICAL | CVE-2023-36188 | LangChain: RCE via PALChain unsanitized Python exec | langchain | 9.8 |
| HIGH | CVE-2023-36189 | LangChain SQLDatabaseChain: SQL injection, DB exfil | langchain | 7.5 |
| CRITICAL | CVE-2023-36095 | LangChain PALChain: RCE via unsanitized exec() calls | langchain | 9.8 |
| CRITICAL | CVE-2023-38860 | LangChain: RCE via unsanitized prompt parameter | langchain | 9.8 |
| CRITICAL | CVE-2023-38896 | LangChain: RCE via unsandboxed LLM code execution | langchain | 9.8 |
| CRITICAL | CVE-2023-39659 | LangChain: RCE via unsanitized PythonAstREPL input | langchain | 9.8 |
| CRITICAL | CVE-2023-36281 | LangChain: RCE via malicious JSON prompt template | langchain | 9.8 |
| CRITICAL | CVE-2023-39631 | LangChain: RCE via numexpr evaluate injection | langchain | 9.8 |
| CRITICAL | CVE-2023-44467 | LangChain: RCE bypass via __import__ in PAL chain | langchain_experimental | 9.8 |
| HIGH | CVE-2023-46229 | LangChain: SSRF in URL loader exposes internal network | langchain | 8.8 |
| HIGH | CVE-2023-32786 | LangChain: prompt injection triggers SSRF via URL fetch | langchain | 7.5 |
| CRITICAL | CVE-2024-27444 | LangChain Experimental: RCE via Python sandbox escape | langchain-experimental | 9.8 |
| CRITICAL | CVE-2024-2057 | LangChain TFIDFRetriever: SSRF/RCE via load_local | langchain | 9.8 |
| HIGH | CVE-2024-28088 | LangChain: path traversal enables RCE and API key theft | langchain | 8.1 |
| MEDIUM | CVE-2024-1455 | LangChain: Billion Laughs XML expansion causes DoS | langchain | 5.9 |
Page 1 of 2
Frequently asked questions
How many known vulnerabilities affect Langchain?
35 AI/ML CVEs affecting Langchain products are tracked, sourced from NVD and GitHub Advisory.
What Langchain products are affected?
The CVEs below map to the Langchain AI/ML packages and tools tracked by AI Threat Alert; open any CVE to see the affected components and versions.
Where does the Langchain vulnerability data come from?
Data is sourced from NVD and GitHub Advisory, then enriched with CVSS severity, EPSS exploit probability, and patch status for each CVE.
How can I monitor Langchain for new vulnerabilities?
AI Threat Alert tracks Langchain continuously; a Pro subscription adds breaking alerts when new CVEs affecting Langchain are published.
How do I assess Langchain's security exposure?
Each CVE below carries CVSS severity and exploitation signals, so you can review the highest-severity Langchain issues first and judge the exposure for your stack.