EXECUTIVE SUMMARY:
CVE-2026-44843 with a CVSS score of 8.2 is a vulnerability in LangChain's unsafe deserialization of attacker-controlled objects through overly broad `load()` allowlists. Affected software includes langchain-core versions greater than or equal to 1.0.0 and less than or equal to 1.3.2, as well as versions less than or equal to 0.3.84. LangChain contains older runtime code paths that deserialize run inputs, run outputs, or other application-controlled payloads using overly broad object allowlists, which allows attacker-supplied LangChain serialized constructor dictionaries to revive classes with untrusted constructor arguments. An attacker can exploit this vulnerability by submitting untrusted structured input to an affected application, having that structure preserved in LangChain run data, and then using the application's affected API path to deserialize the run data. This allows the attacker to inject LangChain serialized constructor payloads, potentially leading to impacts such as persistent chat-history poisoning, prompt injection or behavior manipulation, instantiation of unexpected trusted LangChain objects, and possible credential disclosure or server-side requests. Prerequisites for exploitation include accepting untrusted structured input from a user or network request, not validating or canonicalizing that input, preserving attacker-controlled nested dictionaries or lists in LangChain run inputs or outputs, and using an affected API path that later deserializes that run data.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-44843 with a CVSS score of 8.2 is a vulnerability in LangChain's unsafe deserialization of attacker-controlled objects through overly broad `load()` allowlists. Affected software includes langchain-core versions greater than or equal to 1.0.0 and less than or equal to 1.3.2, as well as versions less than or equal to 0.3.84. LangChain contains older runtime code paths that deserialize run inputs, run outputs, or other application-controlled payloads using overly broad object allowlists, which allows attacker-supplied LangChain serialized constructor dictionaries to revive classes with untrusted constructor arguments. An attacker can exploit this vulnerability by submitting untrusted structured input to an affected application, having that structure preserved in LangChain run data, and then using the application's affected API path to deserialize the run data. This allows the attacker to inject LangChain serialized constructor payloads, potentially leading to impacts such as persistent chat-history poisoning, prompt injection or behavior manipulation, instantiation of unexpected trusted LangChain objects, and possible credential disclosure or server-side requests. Prerequisites for exploitation include accepting untrusted structured input from a user or network request, not validating or canonicalizing that input, preserving attacker-controlled nested dictionaries or lists in LangChain run inputs or outputs, and using an affected API path that later deserializes that run data.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update langchain-core to version 1.3.3, 0.3.85.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-pjwx-r37v-7724