Cyber Posture

CVE-2026-34070

HighPublic PoC

Published: 31 March 2026

Published
31 March 2026
Modified
02 April 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0003 9.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34070 is a high-severity Path Traversal (CWE-22) vulnerability in Langchain Langchain. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as NLP and Transformers.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly requires validation of user-supplied prompt configurations to block directory traversal and absolute path injection in LangChain's load_prompt functions.

SI-2 Flaw Remediation good match
prevent

Mandates timely patching of the known path traversal flaw in LangChain, as fixed in version 1.2.22.

AC-6 Least Privilege partial match
prevent

Limits damage from successful path traversal by enforcing least privilege on the host process, restricting access to sensitive files.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
attack.mitre.org →
Why these techniques?

Path traversal in LangChain prompt loading functions allows remote unauthenticated file reads on the host (T1005 Data from Local System, T1083 File and Directory Discovery) when user-supplied configs are processed; this is a classic remote exploit of a public-facing application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

LangChain is a framework for building agents and LLM-powered applications. Prior to version 1.2.22, multiple functions in langchain_core.prompts.loading read files from paths embedded in deserialized config dicts without validating against directory traversal or absolute path injection. When an application passes…

more

user-influenced prompt configurations to load_prompt() or load_prompt_from_config(), an attacker can read arbitrary files on the host filesystem, constrained only by file-extension checks (.txt for templates, .json/.yaml for examples). This issue has been patched in version 1.2.22.

Deeper analysisAI

CVE-2026-34070 is a path traversal vulnerability (CWE-22) affecting the LangChain framework, an open-source tool for building agents and LLM-powered applications. Prior to version 1.2.22, multiple functions in the langchain_core.prompts.loading module read files from paths embedded in deserialized configuration dictionaries without validation for directory traversal or absolute path injection. This flaw arises when applications invoke load_prompt() or load_prompt_from_config() with user-influenced prompt configurations, enabling unauthorized file access on the host filesystem, limited only by file extension checks (.txt for templates, .json/.yaml for examples). The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact.

A remote, unauthenticated attacker can exploit this issue by supplying a maliciously crafted prompt configuration dictionary to a vulnerable LangChain application. If the application deserializes and passes this input to the affected loading functions, the attacker can traverse directories or inject absolute paths to read sensitive files accessible to the host process. Exploitation requires no privileges or user interaction, making it suitable for automated attacks over the network, though success depends on the application's handling of external prompt data.

The issue was addressed in LangChain version 1.2.22, as detailed in the project's security advisory (GHSA-qh6h-p6c9-ff54), release notes, and the patching commit (27add913474e01e33bededf4096151130ba0d47c). Security practitioners should upgrade to 1.2.22 or later and audit applications for safe handling of user-supplied prompt configurations to prevent deserialization of untrusted inputs.

Details

CWE(s)
CWE-22

Affected Products

langchain
langchain
≤ 1.2.22

AI Security AnalysisAI

AI Category
NLP and Transformers
Risk Domain
N/A
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: langchain, llm

CVEs Like This One

CVE-2024-58340Same product: Langchain Langchain
CVE-2026-27795Same vendor: Langchain
CVE-2026-30914Shared CWE-22
CVE-2025-60946Shared CWE-22
CVE-2024-57549Shared CWE-22
CVE-2025-2264Shared CWE-22
CVE-2026-6024Shared CWE-22
CVE-2025-67160Shared CWE-22
CVE-2026-25750Same vendor: Langchain
CVE-2026-22557Shared CWE-22

References