RAXE-2026-046 HIGH CVSS 7.5 v3.1 S2

LangChain Path Traversal in Prompt Loading Enables Arbitrary File Read

Agent Security 2026-04-03 M. Hirani TLP:GREEN
CVE-2026-34070

Executive Summary

A high-severity path traversal vulnerability (CVE-2026-34070, CVSS 7.5 HIGH) in langchain-core allows an unauthenticated network attacker to read files with permitted extensions (.txt, .json, .yaml) from arbitrary paths on the host filesystem by embedding crafted path strings in a prompt configuration dictionary (NVD). No authentication, credentials, or user interaction are required. Any deployment that passes externally-controlled input to langchain_core.prompts.loading functions on an affected version is directly exposed. Defenders should upgrade langchain-core to version 1.2.22 or later immediately and audit all code paths that supply external input to prompt loading functions.

Vulnerability Overview

Field Value
CVE CVE-2026-34070
CVSS v3.1 7.5 HIGH
CVSS Vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE CWE-22 (Path Traversal)
Affected langchain-core < 1.2.22
Fix langchain-core >= 1.2.22
Vendor LangChain
GHSA GHSA-qh6h-p6c9-ff54
Fix Commit 27add913474e01e33bededf4096151130ba0d47c
NVD Published 2026-03-31

Technical Analysis

Multiple functions in langchain_core.prompts.loading read files from paths embedded in deserialised configuration dictionaries without validating those paths against directory traversal sequences or rejecting absolute path injection (NVD, CVE-2026-34070). The root cause is CWE-22: Improper Limitation of a Pathname to a Restricted Directory.

When a prompt configuration is loaded — for example, from a JSON or YAML dictionary — the affected functions accept a file, path, or template_path field and open the file at the specified location. On versions of langchain-core prior to 1.2.22, no check is performed to confirm that the resolved path falls within an expected base directory, and traversal sequences such as ../../../../etc/passwd or absolute paths such as /etc/shadow are not stripped or rejected before the file is opened (NVD, CVE-2026-34070, CWE-22).

The fix commit 27add913474e01e33bededf4096151130ba0d47c hardens path checks in the affected module and was released as langchain-core==1.2.22 (GitHub Advisory GHSA-qh6h-p6c9-ff54).

The practical precondition is that the attacker must be able to influence the configuration dictionary passed to a prompt-loading function. In LangChain-based agentic pipelines, prompt templates are frequently loaded from user-supplied YAML or JSON configuration, deserialised chain definitions, or data retrieved via external tool calls (RAXE assessment). Deployments that accept any of these as external input are within scope.

Impact Assessment

Dimension Rating Basis
Confidentiality HIGH File read from arbitrary paths on host filesystem, constrained by file-extension checks — .txt, .json, .yaml (NVD CVSS C:H)
Integrity NONE Read-only vulnerability; no write primitive exists (NVD CVSS I:N)
Availability NONE No denial-of-service component (NVD CVSS A:N)
Scope Unchanged Impact confined to the vulnerable component (NVD CVSS S:U)

The practical impact of a successful exploit is bounded by the filesystem permissions of the process running langchain-core. In production container deployments where the application runs with broad filesystem access — a common configuration — an attacker could read credentials files, private keys, environment variable files, and other sensitive data. Deployments running the process as a low-privilege user on a read-restricted filesystem will experience reduced practical impact, though the scored CVSS reflects the worst-case configuration (RAXE assessment).

CVSS Vector Breakdown

The following table walks through each element of the CNA-submitted CVSS 3.1 vector (recorded in NVD via GitHub Security Advisories) AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD, CVE-2026-34070).

Metric Value Meaning
Attack Vector (AV) N — Network The vulnerability is reachable from the network without requiring local access
Attack Complexity (AC) L — Low No race conditions, special configurations, or information-gathering prerequisites are required
Privileges Required (PR) N — None The attack requires no authentication or account on the target system
User Interaction (UI) N — None No action from a legitimate user is needed to trigger the vulnerability
Scope (S) U — Unchanged Impact is limited to the vulnerable component; no privilege boundary is crossed
Confidentiality (C) H — High File read from arbitrary paths (constrained to .txt, .json, .yaml extensions) means the attacker can obtain sensitive data from the host filesystem
Integrity (I) N — None The vulnerability provides no write or modification capability
Availability (A) N — None There is no denial-of-service component in the attack

Exploitation Context

The vendor advisory GHSA-qh6h-p6c9-ff54 includes proof-of-concept code demonstrating three attack vectors: absolute path injection via template_path, directory traversal via ../../ sequences, and few-shot examples exploitation via the examples parameter (GHSA-qh6h-p6c9-ff54). The availability of vendor-published PoC code lowers the barrier to exploitation. The EPSS score for CVE-2026-34070 is 0.0480% (raw: 0.000480) at the 14.9th percentile as of 2026-04-03 (FIRST.org), indicating low current exploitation activity. CVE-2026-34070 does not appear in the CISA Known Exploited Vulnerabilities catalogue at the time of writing.

Path traversal vulnerabilities in application-layer frameworks have historically seen delayed uptake: exploitation typically requires context-specific knowledge of how a target application handles user input, which reduces the value of opportunistic network-wide scanning relative to infrastructure-layer vulnerabilities (RAXE assessment). Despite the low EPSS score, the combination of vendor-published PoC code and zero-authentication requirement means that once an attacker identifies a feasible attack path in a specific application, exploitation is straightforward. No reported in-the-wild exploitation has been observed at the time of writing.

Affected Components

The vulnerability resides in the langchain_core.prompts.loading module within the langchain-core Python package, which is a core dependency of the LangChain framework for building LLM-powered applications and agentic pipelines (NVD, CVE-2026-34070). All releases of langchain-core prior to version 1.2.22 are affected.

The fixed release langchain-core==1.2.22 is available on PyPI (PyPI registry, https://pypi.org/pypi/langchain-core/1.2.22/json).

To check the currently installed version:

pip show langchain-core | grep Version

Detection Guidance

Two detection rule sets are provided in the RAXE-2026-046 detection directory, covering different telemetry sources.

Sigma rules (langchain-path-traversal.yml, 2 rules):

  • SIGMA-RAXE-2026-046-001 (Lane 2 — Vulnerability-Informed): Detects Python process invocations that reference langchain_core.prompts.loading while the command line contains directory traversal sequences (../) or absolute paths targeting sensitive files. Compatible with auditd EXECVE events, eBPF process monitors (Falco, Tetragon), EDR process telemetry, and osquery. Severity: High.

  • SIGMA-RAXE-2026-046-002 (Lane 1 — Delivery): Detects inbound HTTP POST or PUT requests whose URI contains directory traversal sequences or references to sensitive absolute paths on endpoints matching common LangChain API patterns (/prompt, /chain, /invoke, /agent, etc.). Compatible with nginx, HAProxy, Traefik, WAF, and API gateway access logs. Severity: High.

YARA rules (langchain-path-traversal.yar, 2 rules, Lane 2 — Vulnerability-Informed):

  • RAXE_2026_046_LangChain_PromptConfig_PathTraversal_JSON: Matches JSON prompt configuration files containing both a LangChain structural field and a directory traversal sequence or high-value absolute path target. Suitable for scanning configuration directories, HTTP body captures, job queue payloads, and container image layers.

  • RAXE_2026_046_LangChain_PromptConfig_PathTraversal_YAML: Equivalent coverage for YAML-format prompt configurations.

Both YARA rules scan for traversal sequences and absolute path targets derived from the NVD advisory description and standard CWE-22 exploitation patterns. No indicators of compromise have been invented beyond what is documented in the advisory.

MITRE ATT&CK mappings relevant to detection rule tuning: T1083 (File and Directory Discovery), T1552.001 (Unsecured Credentials: Credentials in Files), T1190 (Exploit Public-Facing Application).

Remediation

Actions are listed in priority order.

  1. Upgrade langchain-core to version 1.2.22 or later. The fix is available on PyPI (verified: langchain-core 1.2.22 confirmed at https://pypi.org/pypi/langchain-core/1.2.22/json). Run pip install --upgrade langchain-core and pin the dependency in your requirements files. Confirm the installed version with pip show langchain-core | grep Version.

  2. Audit all code paths that pass external input to prompt loading functions. Review any use of langchain_core.prompts.loading that incorporates file paths derived from user input, API parameters, tool outputs, or deserialised external configuration. Apply strict path validation as a defence-in-depth measure: canonicalise paths, reject traversal sequences, and enforce a base directory allowlist even after upgrading.

  3. Harden container and process filesystem permissions. Run LangChain application processes with the minimum required filesystem access. Where feasible, mount filesystems read-only and apply seccomp or AppArmor profiles to restrict file open operations to expected directories.

Timeline

Date Event
2026-03-31 CVE-2026-34070 published by NVD (NVD API: 2026-03-31T03:15:58Z UTC; NVD web page may display 2026-03-30 in US timezone rendering)
2026-04-03 Signal ingested from NVD feed; TIB-2026-1010 created (signal archive)
2026-04-03 Finding promoted to RAXE-2026-046; PoC, detection rules, and brief completed
2026-04-03 Fact-check passed: 2/2 validators (cve_product_match, cvss_score_match)
2026-04-03 Publication draft authored

References

  1. NVD — CVE-2026-34070: LangChain Path Traversal in Prompt Loading. https://nvd.nist.gov/vuln/detail/CVE-2026-34070
  2. GitHub Security Advisory GHSA-qh6h-p6c9-ff54. https://github.com/langchain-ai/langchain/security/advisories/GHSA-qh6h-p6c9-ff54
  3. Fix commit — harden path checks in langchain_core.prompts.loading. https://github.com/langchain-ai/langchain/commit/27add913474e01e33bededf4096151130ba0d47c
  4. LangChain release tag langchain-core==1.2.22. https://github.com/langchain-ai/langchain/releases/tag/langchain-core==1.2.22
  5. PyPI — langchain-core 1.2.22. https://pypi.org/pypi/langchain-core/1.2.22/json
  6. FIRST.org EPSS Score for CVE-2026-34070. https://api.first.org/data/v1/epss?cve=CVE-2026-34070
  7. CWE-22: Improper Limitation of a Pathname to a Restricted Directory. https://cwe.mitre.org/data/definitions/22.html

Appendix: RAXE Assessment Notes

The following observations represent RAXE analytical judgements and are labelled accordingly. They are not sourced directly from the vendor advisory or NVD.

On attack surface prevalence (RAXE assessment): LangChain is a commonly used framework in enterprise LLM applications, retrieval-augmented generation pipelines, and multi-agent orchestration systems (RAXE assessment). The risk is elevated in multi-tenant or API-exposed deployments where end-users can supply prompt template parameters or tool configurations. Environments where the LangChain process runs with broad filesystem permissions — common in container deployments without read-only filesystem mounts — face higher practical impact from a successful exploit.

On exploitation trajectory (RAXE assessment): Path traversal vulnerabilities in application-layer frameworks have historically seen delayed uptake relative to infrastructure-layer vulnerabilities. Exploitation typically requires knowledge of the target application's input-handling architecture before traversal sequences can be positioned correctly. The current low EPSS score (14.9th percentile, FIRST.org) is consistent with this pattern. The zero-authentication requirement means that once an attacker identifies a viable input path, exploit execution is uncomplicated. Organisations with externally accessible LangChain deployments that accept user-defined prompt configurations should treat this as a patch-priority item regardless of the current EPSS percentile.

On detection coverage (RAXE assessment): The Sigma and YARA rules provided cover both the delivery surface (HTTP request bodies and process command lines) and configuration files at rest. The primary detection gap is in-process deserialisation of attacker-controlled data received over a network socket where the traversal sequence never appears in a log line. Complementary controls — input validation at the application layer and filesystem permission hardening — are recommended to address this gap.

Admiralty Grade: A2 — Reliability A (NVD is the official US government vulnerability database), Credibility 2 (information corroborated by GitHub Security Advisory GHSA-qh6h-p6c9-ff54 and vendor fix commit 27add913474e01e33bededf4096151130ba0d47c).

Access Tier: T1 — Black-box. The vulnerability is reachable from a network position without credentials, consistent with the CVSS vector AV:N/PR:N.