Skip to main content

Langchain Anthropic

1 CVEs product

Monthly

CVE-2026-55443 PyPI MEDIUM PATCH This Month

Path traversal and sandbox escape in LangChain prior to 1.3.9 allow untrusted inputs - including LLM-generated content steered by adversarial prompts - to escape a configured filesystem root boundary. Three components are affected: a file-search agent middleware that validates a starting directory but not glob patterns or symlink targets; prompt and chain/agent configuration loaders that resolve path fields without root confinement; and path-prefix authorization logic that performs string-prefix comparison without segment boundaries, allowing sibling paths to bypass access controls. No public exploit code has been identified at time of analysis and this CVE does not appear in CISA KEV, but the risk is meaningful for any deployment that exposes LangChain filesystem agents to untrusted user input or LLM prompt injection.

Path Traversal Langchain Langchain Anthropic
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.2%
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Path traversal and sandbox escape in LangChain prior to 1.3.9 allow untrusted inputs - including LLM-generated content steered by adversarial prompts - to escape a configured filesystem root boundary. Three components are affected: a file-search agent middleware that validates a starting directory but not glob patterns or symlink targets; prompt and chain/agent configuration loaders that resolve path fields without root confinement; and path-prefix authorization logic that performs string-prefix comparison without segment boundaries, allowing sibling paths to bypass access controls. No public exploit code has been identified at time of analysis and this CVE does not appear in CISA KEV, but the risk is meaningful for any deployment that exposes LangChain filesystem agents to untrusted user input or LLM prompt injection.

Path Traversal Langchain Langchain Anthropic
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy