{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/langchain/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["langchain","path-traversal","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMultiple path traversal vulnerabilities have been identified within the \u003ccode\u003elangchain-core\u003c/code\u003e package, specifically affecting the legacy \u003ccode\u003eload_prompt\u003c/code\u003e, \u003ccode\u003eload_prompt_from_config\u003c/code\u003e, and \u003ccode\u003e.save()\u003c/code\u003e methods. These vulnerabilities stem from a lack of validation on file paths embedded within deserialized configuration dictionaries. An attacker who can influence or control the prompt configuration supplied to these functions can exploit this flaw to read arbitrary files on the host filesystem. The scope is constrained by file extension checks, limiting readable files to \u003ccode\u003e.txt\u003c/code\u003e for templates and \u003ccode\u003e.json\u003c/code\u003e or \u003ccode\u003e.yaml\u003c/code\u003e for examples. This issue impacts applications that accept prompt configurations from untrusted sources, such as low-code AI builders and API wrappers exposing \u003ccode\u003eload_prompt_from_config()\u003c/code\u003e. The vulnerable code resides within \u003ccode\u003elangchain_core/prompts/loading.py\u003c/code\u003e in the \u003ccode\u003e_load_template()\u003c/code\u003e, \u003ccode\u003e_load_examples()\u003c/code\u003e, and \u003ccode\u003e_load_few_shot_prompt()\u003c/code\u003e functions. This vulnerability is resolved in \u003ccode\u003elangchain-core\u003c/code\u003e version 1.2.22, and the affected functions are now deprecated.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an application using the vulnerable \u003ccode\u003elangchain-core\u003c/code\u003e library and the legacy \u003ccode\u003eload_prompt_from_config()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious prompt configuration dictionary containing a \u003ccode\u003etemplate_path\u003c/code\u003e, \u003ccode\u003esuffix_path\u003c/code\u003e, \u003ccode\u003eprefix_path\u003c/code\u003e, \u003ccode\u003eexamples\u003c/code\u003e, or \u003ccode\u003eexample_prompt_path\u003c/code\u003e key with a path traversal sequence (e.g., \u003ccode\u003e../../etc/passwd\u003c/code\u003e) or an absolute path (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious configuration into the application, potentially via a low-code AI builder or an API endpoint that accepts prompt configurations.\u003c/li\u003e\n\u003cli\u003eThe application deserializes the malicious configuration dictionary and passes it to \u003ccode\u003eload_prompt_from_config()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eload_prompt_from_config()\u003c/code\u003e calls the relevant vulnerable function (\u003ccode\u003e_load_template()\u003c/code\u003e, \u003ccode\u003e_load_examples()\u003c/code\u003e, or \u003ccode\u003e_load_few_shot_prompt()\u003c/code\u003e) based on the configuration.\u003c/li\u003e\n\u003cli\u003eThe vulnerable function reads the file specified in the malicious path without proper validation.\u003c/li\u003e\n\u003cli\u003eThe contents of the file are then incorporated into a prompt object.\u003c/li\u003e\n\u003cli\u003eThe application, believing the prompt is benign, processes it further, potentially disclosing the file contents to the attacker via an error message, logging, or other output channels.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to read arbitrary files on the system, potentially exposing sensitive information. This includes cloud-mounted secrets (e.g., \u003ccode\u003e/mnt/secrets/api_key.txt\u003c/code\u003e), configuration files (e.g., \u003ccode\u003erequirements.txt\u003c/code\u003e), cloud credentials (e.g., \u003ccode\u003e~/.docker/config.json\u003c/code\u003e), Kubernetes manifests, CI/CD configurations, and application settings. The impact is especially severe in applications that handle sensitive data or operate in cloud environments. While no victim numbers are available, any application using the vulnerable \u003ccode\u003elangchain-core\u003c/code\u003e versions is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003elangchain-core\u003c/code\u003e to version 1.2.22 or later to patch CVE-2026-34070.\u003c/li\u003e\n\u003cli\u003eMigrate away from the deprecated \u003ccode\u003eload_prompt\u003c/code\u003e, \u003ccode\u003eload_prompt_from_config\u003c/code\u003e, and \u003ccode\u003e.save()\u003c/code\u003e methods in favor of the \u003ccode\u003edumpd\u003c/code\u003e/\u003ccode\u003edumps\u003c/code\u003e/\u003ccode\u003eload\u003c/code\u003e/\u003ccode\u003eloads\u003c/code\u003e serialization APIs in \u003ccode\u003elangchain_core.load\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIf you cannot immediately upgrade, sanitize user-supplied prompt configurations to prevent path traversal by rejecting absolute paths and paths containing \u003ccode\u003e..\u003c/code\u003e sequences.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;LangChain Path Traversal Attempt\u0026rdquo; to detect attempts to exploit this vulnerability by monitoring process creations involving \u003ccode\u003epython\u003c/code\u003e and path traversal sequences in command line arguments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-28T10:00:00Z","date_published":"2026-03-28T10:00:00Z","id":"/briefs/2026-03-langchain-path-traversal/","summary":"A path traversal vulnerability in LangChain Core's legacy `load_prompt` functions allows attackers to read arbitrary files by injecting malicious paths into prompt configurations.","title":"LangChain Core Path Traversal Vulnerability in Legacy APIs","url":"https://feed.craftedsignal.io/briefs/2026-03-langchain-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Langchain","version":"https://jsonfeed.org/version/1.1"}