CVE-2026-44843 Overview
CVE-2026-44843 is an insecure deserialization vulnerability in LangChain, a framework for building agents and Large Language Model (LLM)-powered applications. Versions prior to 0.3.85 and 1.3.3 contain runtime code paths that deserialize run inputs, run outputs, and other application-controlled payloads using overly broad object allowlists. These paths invoke load() with allowed_objects="all", permitting any trusted LangChain-serializable object to be revived from attacker-supplied data. The vulnerability is classified as [CWE-502] Deserialization of Untrusted Data.
Critical Impact
Attacker-supplied LangChain serialized constructor dictionaries can cause trusted runtime paths to instantiate classes with untrusted constructor arguments, broadening the attack surface beyond what runtime paths require.
Affected Products
- LangChain versions prior to 0.3.85 (0.3.x branch)
- LangChain versions prior to 1.3.3 (1.x branch)
- Applications and agents built on vulnerable LangChain runtime paths
Discovery Timeline
- 2026-05-26 - CVE-2026-44843 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-44843
Vulnerability Analysis
LangChain provides a serialization layer that allows objects such as prompts, chains, and tools to be persisted and reloaded. The framework exposes a load() function that accepts an allowed_objects parameter to restrict which classes can be deserialized. Older runtime code paths within LangChain set this parameter to "all", effectively allowing any trusted LangChain-serializable class to be instantiated from a serialized payload.
This configuration does not allow arbitrary Python object deserialization in the style of pickle. However, it grants attackers the ability to construct any LangChain class by supplying a constructor dictionary. An attacker who controls run inputs, run outputs, or related application payloads can trigger instantiation of trusted classes with attacker-controlled constructor arguments, leading to confidentiality impact and limited integrity impact in the runtime context.
Root Cause
The root cause is an overly permissive allowlist in legacy runtime deserialization paths. By passing allowed_objects="all" to load(), these paths bypass the narrower class allowlist that the affected runtime operations actually require. The mismatch between the privileges granted by the allowlist and the operational needs of the runtime path produces the insecure deserialization condition.
Attack Vector
The vulnerability is exploitable over the network without authentication or user interaction. An attacker submits a crafted LangChain serialized payload as a run input, run output, or other application-controlled field. When the vulnerable runtime path processes the payload, it calls load() and revives the attacker-specified class with attacker-supplied constructor arguments. The resulting object behavior depends on which trusted class the attacker selects from the LangChain ecosystem.
No verified public proof-of-concept code is available at this time. Refer to the GitHub Security Advisory GHSA-pjwx-r37v-7724 for vendor technical details.
Detection Methods for CVE-2026-44843
Indicators of Compromise
- Inbound payloads to LangChain applications containing serialized constructor dictionaries with lc, type, id, and kwargs keys from untrusted sources
- Unexpected instantiation of LangChain classes during processing of run inputs or run outputs
- Anomalous outbound network connections originating from LangChain agent processes following payload ingestion
Detection Strategies
- Inventory LangChain installations and identify versions prior to 0.3.85 and 1.3.3 across development, staging, and production environments
- Audit application code for calls to load() and flag invocations where allowed_objects="all" is passed or where allowlists are not explicitly defined
- Inspect HTTP and message-queue payloads delivered to LangChain endpoints for LangChain-serialized JSON structures from untrusted callers
Monitoring Recommendations
- Log all deserialization events in LangChain runtime paths, including the class identifiers being revived
- Alert on LangChain processes spawning child processes or making outbound connections to unexpected destinations
- Monitor package manifests in CI/CD pipelines to confirm patched LangChain versions are pinned
How to Mitigate CVE-2026-44843
Immediate Actions Required
- Upgrade LangChain to version 0.3.85 or 1.3.3 or later across all environments running agents or LLM applications
- Restrict network access to LangChain runtime endpoints so only trusted callers can submit run inputs and outputs
- Review application code for any direct use of load() and replace allowed_objects="all" with narrow, explicit class allowlists
Patch Information
The LangChain maintainers fixed the vulnerability in versions 0.3.85 and 1.3.3. Patched releases tighten the object allowlist used by affected runtime paths so that only the specific classes required by each path can be deserialized. Consult the GitHub Security Advisory GHSA-pjwx-r37v-7724 for the full list of affected modules and remediation guidance.
Workarounds
- If immediate upgrade is not possible, validate and sanitize all serialized payloads before they reach LangChain runtime paths
- Treat all run inputs and run outputs as untrusted and isolate LangChain workers in sandboxed environments with minimal privileges
- Block external submission of serialized LangChain objects at the application or API gateway layer until patching is complete
# Configuration example: upgrade LangChain to a patched release
pip install --upgrade "langchain>=1.3.3"
# Or for the 0.3.x branch
pip install --upgrade "langchain>=0.3.85,<1.0.0"
# Verify installed version
python -c "import langchain; print(langchain.__version__)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
