Cyber Resilience

CVE-2026-34070

HighPublic PoCUpdated

Published: 31 March 2026

Published
31 March 2026
Modified
01 June 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0004 11.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34070 is a high-severity Path Traversal (CWE-22) vulnerability in Langchain Langchain Core. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as NLP and Transformers; in the Privacy and Disclosure risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-34070 is a path traversal vulnerability (CWE-22) affecting the LangChain framework, an open-source tool for building agents and LLM-powered applications. Prior to version 1.2.22, multiple functions in the langchain_core.prompts.loading module read files from paths embedded in deserialized configuration dictionaries without validation for directory traversal or absolute path injection. This flaw arises when applications invoke load_prompt() or load_prompt_from_config() with user-influenced prompt configurations, enabling unauthorized file access on the host filesystem, limited only by file extension checks (.txt for templates, .json/.yaml for examples). The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact.

A remote, unauthenticated attacker can exploit this issue by supplying a maliciously crafted prompt configuration dictionary to a vulnerable LangChain application. If the application deserializes and passes this input to the affected loading functions, the attacker can traverse directories or inject absolute paths to read sensitive files accessible to the host process. Exploitation requires no privileges or user interaction, making it suitable for automated attacks over the network, though success depends on the application's handling of external prompt data.

The issue was addressed in LangChain version 1.2.22, as detailed in the project's security advisory (GHSA-qh6h-p6c9-ff54), release notes, and the patching commit (27add913474e01e33bededf4096151130ba0d47c). Security practitioners should upgrade to 1.2.22 or later and audit applications for safe handling of user-supplied prompt configurations to prevent deserialization of untrusted inputs.

EU & UK References

Vulnerability details

LangChain is a framework for building agents and LLM-powered applications. Prior to version 1.2.22, multiple functions in langchain_core.prompts.loading read files from paths embedded in deserialized config dicts without validating against directory traversal or absolute path injection. When an application passes…

more

user-influenced prompt configurations to load_prompt() or load_prompt_from_config(), an attacker can read arbitrary files on the host filesystem, constrained only by file-extension checks (.txt for templates, .json/.yaml for examples). This issue has been patched in version 1.2.22.

CWE(s)

AI Security AnalysisAI

AI Category
NLP and Transformers
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: langchain, llm

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
Why these techniques?

Path traversal in LangChain prompt loading functions allows remote unauthenticated file reads on the host (T1005 Data from Local System, T1083 File and Directory Discovery) when user-supplied configs are processed; this is a classic remote exploit of a public-facing application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-68664Same product: Langchain Langchain Core
CVE-2026-44843Same vendor: Langchain
CVE-2026-27795Same vendor: Langchain
CVE-2025-60946Shared CWE-22
CVE-2026-6024Shared CWE-22
CVE-2025-67160Shared CWE-22
CVE-2026-49128Shared CWE-22
CVE-2026-7384Shared CWE-22
CVE-2026-30914Shared CWE-22
CVE-2026-22557Shared CWE-22

Affected Assets

langchain
langchain core
≤ 1.2.22

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of user-supplied prompt configurations to block directory traversal and absolute path injection in LangChain's load_prompt functions.

prevent

Mandates timely patching of the known path traversal flaw in LangChain, as fixed in version 1.2.22.

prevent

Limits damage from successful path traversal by enforcing least privilege on the host process, restricting access to sensitive files.

References