CVE-2026-55443: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in langchain-ai langchain
LangChain is a framework for building agents and LLM-powered applications. Prior to 1.3.9, several LangChain components that resolve filesystem paths or expand search patterns do not consistently confine the resolved path to the intended root directory. Affected behaviors include: a file-search agent middleware that validates a starting directory but not the search pattern or the resolved target of matched files, so glob patterns and symlinks can reach files outside the configured root; prompt- and chain/agent-configuration loaders that accept path fields and resolve them without confining the result to a trusted base or rejecting symlink targets; and path-prefix authorization checks that compare by string prefix without a path-segment boundary, so a sibling path sharing the prefix is accepted. When these components receive path values, search patterns, or workspace contents influenced by an untrusted source — including an LLM acting on untrusted input — the result can be disclosure of files outside the intended boundary. This vulnerability is fixed in 1.3.9.
AI Analysis
Technical Summary
LangChain versions before 1.3.9 contain a path traversal vulnerability where components that handle filesystem paths or glob patterns fail to restrict resolved paths within a trusted root directory. This includes middleware that validates starting directories but not search patterns or symlink targets, loaders that resolve paths without confinement or symlink rejection, and authorization checks that use string prefix comparison without proper path-segment boundaries. When these components process path inputs influenced by untrusted sources, including LLMs acting on untrusted input, files outside the intended directory can be disclosed. The vulnerability is addressed in version 1.3.9.
Potential Impact
An attacker able to influence path inputs or search patterns can cause the application to disclose files outside the intended directory boundaries. This leads to unauthorized information disclosure (confidentiality impact). There is no indication of integrity or availability impact. The CVSS score is 5.1 (medium severity) reflecting local attack vector with high complexity and no privileges required.
Mitigation Recommendations
Upgrade to langchain version 1.3.9 or later, where this path traversal vulnerability is fixed. No other official remediation or temporary fixes are documented. Until upgrading, avoid processing untrusted input in path or search pattern fields that could influence filesystem access.
CVE-2026-55443: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in langchain-ai langchain
Description
LangChain is a framework for building agents and LLM-powered applications. Prior to 1.3.9, several LangChain components that resolve filesystem paths or expand search patterns do not consistently confine the resolved path to the intended root directory. Affected behaviors include: a file-search agent middleware that validates a starting directory but not the search pattern or the resolved target of matched files, so glob patterns and symlinks can reach files outside the configured root; prompt- and chain/agent-configuration loaders that accept path fields and resolve them without confining the result to a trusted base or rejecting symlink targets; and path-prefix authorization checks that compare by string prefix without a path-segment boundary, so a sibling path sharing the prefix is accepted. When these components receive path values, search patterns, or workspace contents influenced by an untrusted source — including an LLM acting on untrusted input — the result can be disclosure of files outside the intended boundary. This vulnerability is fixed in 1.3.9.
CVSS v3.1
Score 5.1medium
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
LangChain versions before 1.3.9 contain a path traversal vulnerability where components that handle filesystem paths or glob patterns fail to restrict resolved paths within a trusted root directory. This includes middleware that validates starting directories but not search patterns or symlink targets, loaders that resolve paths without confinement or symlink rejection, and authorization checks that use string prefix comparison without proper path-segment boundaries. When these components process path inputs influenced by untrusted sources, including LLMs acting on untrusted input, files outside the intended directory can be disclosed. The vulnerability is addressed in version 1.3.9.
Potential Impact
An attacker able to influence path inputs or search patterns can cause the application to disclose files outside the intended directory boundaries. This leads to unauthorized information disclosure (confidentiality impact). There is no indication of integrity or availability impact. The CVSS score is 5.1 (medium severity) reflecting local attack vector with high complexity and no privileges required.
Mitigation Recommendations
Upgrade to langchain version 1.3.9 or later, where this path traversal vulnerability is fixed. No other official remediation or temporary fixes are documented. Until upgrading, avoid processing untrusted input in path or search pattern fields that could influence filesystem access.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-16T21:59:57.018Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a398861eed863c81e5021d4
Added to database: 06/22/2026, 19:09:21 UTC
Last enriched: 06/22/2026, 19:24:27 UTC
Last updated: 06/23/2026, 01:50:17 UTC
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.