CVE-2026-55443 Overview
CVE-2026-55443 is a path traversal vulnerability [CWE-22] in LangChain, a framework for building agents and large language model (LLM)-powered applications. Versions prior to 1.3.9 contain multiple components that fail to confine resolved filesystem paths to the intended root directory. Affected behaviors include a file-search agent middleware, prompt and chain/agent configuration loaders, and path-prefix authorization checks. When these components process path values or search patterns influenced by an untrusted source, including an LLM acting on untrusted input, attackers can disclose files outside the intended boundary.
Critical Impact
Attackers controlling LLM inputs or workspace contents can read files outside configured directories through glob patterns, symlinks, and sibling-path prefix bypasses.
Affected Products
- LangChain versions prior to 1.3.9
- LangChain Anthropic integration (langchain_anthropic) middleware components
- Applications using LangChain prompt and chain/agent configuration loaders
Discovery Timeline
- 2026-06-22 - CVE-2026-55443 published to NVD
- 2026-06-23 - Last updated in NVD database
Technical Details for CVE-2026-55443
Vulnerability Analysis
The vulnerability affects three distinct LangChain components that handle filesystem paths. The file-search agent middleware validates a starting directory but does not validate the search pattern or the resolved target of matched files. Glob patterns and symbolic links can therefore reach files outside the configured root directory. Prompt and chain/agent configuration loaders accept path fields and resolve them without confining results to a trusted base or rejecting symlink targets. Path-prefix authorization checks compare strings using raw prefix matching without a path-segment boundary.
Root Cause
The root cause is inconsistent path containment logic across multiple LangChain components. Path-prefix checks using raw string comparison treat /memories2/evil.txt as a valid descendant of /memories because the textual prefix matches. Symlink resolution and glob expansion are not constrained to the allowed root, allowing traversal through filesystem indirection.
Attack Vector
An attacker influences path values, search patterns, or workspace contents consumed by a LangChain agent. This influence can come through prompt injection where an LLM acts on untrusted input and constructs malicious paths. The attacker uses glob patterns, symbolic links, or sibling-prefix paths to escape the configured root and disclose files such as configuration secrets, source code, or credentials.
# Patch from LangChain commit dcaf7795a3e6590af55c3ff7bda6add6355e9ea6
def _is_within_allowed_prefix(normalized: str, prefixes: Sequence[str]) -> bool:
"""Check whether a normalized path lies within an allowed prefix directory.
Uses a segment-boundary comparison rather than a raw string prefix test so
that sibling directories sharing a textual prefix cannot escape the allowed
directory. For example, with prefix `/memories` the path `/memories2/evil.txt`
is rejected because it is not the prefix itself nor a descendant of it.
"""
for prefix in prefixes:
prefix_dir = prefix.rstrip("/")
if normalized == prefix_dir or normalized.startswith(f"{prefix_dir}/"):
return True
return False
Source: LangChain GitHub Commit dcaf779
This patch introduces segment-boundary path comparison in _validate_path to reject sibling directories sharing a textual prefix.
Detection Methods for CVE-2026-55443
Indicators of Compromise
- File access events from LangChain agent processes targeting paths outside configured workspace roots
- Glob expansion patterns containing .. traversal sequences or wildcards resolving to sensitive system paths
- Symbolic link creation within agent-accessible directories pointing to files outside the workspace root
Detection Strategies
- Audit LangChain application logs for path resolution operations referencing files outside intended root directories
- Monitor agent middleware invocations where search patterns include glob metacharacters or symlink targets
- Inspect prompt and chain configuration files for path fields resolving to unexpected filesystem locations
Monitoring Recommendations
- Enable filesystem auditing on directories used as LangChain agent workspace roots
- Log all file-search middleware operations including resolved target paths for post-hoc analysis
- Track LangChain package versions across deployments to identify hosts running versions prior to 1.3.9
How to Mitigate CVE-2026-55443
Immediate Actions Required
- Upgrade LangChain to version 1.3.9 or later across all environments using the framework
- Audit existing LangChain deployments for exposure of file-search middleware to untrusted LLM inputs
- Review prompt and agent configuration loaders for path fields populated from untrusted sources
Patch Information
The vulnerability is fixed in LangChain version 1.3.9. The patch introduces the _is_within_allowed_prefix function that performs segment-boundary path comparison instead of raw string prefix matching. The fix also tightens validation of glob patterns and symlink targets in the file-search agent middleware. Refer to the LangChain GitHub Security Advisory GHSA-gr75-jv2w-4656 for complete remediation details.
Workarounds
- Restrict LangChain agent workspace roots to isolated directories containing no sensitive files
- Remove or disable file-search agent middleware in deployments where LLM inputs cannot be fully trusted
- Validate and canonicalize all path fields in prompt and chain configurations before passing them to LangChain loaders
- Disable symbolic link following within LangChain agent workspace directories at the filesystem level
# Upgrade LangChain to the patched version
pip install --upgrade "langchain>=1.3.9"
# Verify installed version
pip show langchain | grep -i version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

