Home / Vulnerability Intelligence / CVE-2026-34070

CVE-2026-34070 - Vulnerability Analysis

HighCVSS: 7.5

Last Updated: March 31, 2026

LangChain - Path Traversal

Published: March 31, 2026Updated: March 31, 2026PoC AvailableRemote Exploitable

Overview

LangChain < 1.2.22 contains a path traversal caused by unvalidated file paths in deserialized config dicts in langchain_core.prompts.loading, letting attackers read arbitrary files with certain extensions, exploit requires user-influenced prompt configurations.

Severity & Score

Severity: High

CVSS Score: 7.5

Impact

Attackers can read arbitrary files on the host filesystem, potentially exposing sensitive information.

Mitigation

Upgrade to version 1.2.22 or later.

References

https://github.com/langchain-ai/langchain/commit/27add913474e01e33bededf4096151130ba0d47c
https://github.com/langchain-ai/langchain/releases/tag/langchain-core==1.2.22
https://github.com/langchain-ai/langchain/security/advisories/GHSA-qh6h-p6c9-ff54

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-34070
Severity: High
CVSS Score: 7.5
Type: path_traversal
Status: new

CWE

CWE-22

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N