{
  "threat_severity" : "Important",
  "public_date" : "2026-03-31T02:01:49Z",
  "bugzilla" : {
    "description" : "langchain: path traversal in legacy load_prompt functions in langchain-core",
    "id" : "2453287",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2453287"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-22",
  "details" : [ "LangChain is a framework for building agents and LLM-powered applications. Prior to version 1.2.22, multiple functions in langchain_core.prompts.loading read files from paths embedded in deserialized config dicts without validating against directory traversal or absolute path injection. When an application passes user-influenced prompt configurations to load_prompt() or load_prompt_from_config(), an attacker can read arbitrary files on the host filesystem, constrained only by file-extension checks (.txt for templates, .json/.yaml for examples). This issue has been patched in version 1.2.22.", "A flaw was found in LangChain. Multiple functions in `langchain_core.prompts.loading` read files from paths embedded in deserialized configuration dictionaries without validation for directory traversal or absolute path injection. When an application passes user-influenced prompt configurations to `load_prompt()` or `load_prompt_from_config()`, an attacker can read arbitrary files on the host filesystem." ],
  "statement" : "This flaw is exploitable in applications that accept prompt configs from untrusted sources, including low-code AI builders and API wrappers that expose `load_prompt_from_config()`.\nAlso, the affected functions (`load_prompt`, `load_prompt_from_config` and the `.save()` method on prompt classes) are undocumented legacy APIs. They are superseded by the `dumpd`/`dumps`/`load`/`loads` serialization APIs in `langchain_core.load`, which do not perform filesystem reads and use an allowlist-based security model.\nAn attacker who controls or influences the prompt configuration dictionary can read files outside the intended directory, such as cloud-mounted secrets, internal system prompts, cloud credentials, Kubernetes manifests, CI/CD configs and application settings.\nDue to these reasons, this vulnerability has been rated with an important severity.",
  "affected_release" : [ {
    "product_name" : "Red Hat Ansible Automation Platform 2.5",
    "release_date" : "2026-06-09T00:00:00Z",
    "advisory" : "RHSA-2026:24766",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8",
    "package" : "ansible-automation-platform-25/lightspeed-rhel8:1780082949"
  } ],
  "package_state" : [ {
    "product_name" : "OpenShift Lightspeed",
    "fix_state" : "Affected",
    "package_name" : "openshift-lightspeed/lightspeed-service-api-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_lightspeed"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Will not fix",
    "package_name" : "ansible-automation-platform-25/lightspeed-chatbot-rhel8",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Will not fix",
    "package_name" : "ansible-automation-platform-26/lightspeed-rhel9",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Affected",
    "package_name" : "rhoai/odh-llama-stack-core-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-mlflow-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Affected",
    "package_name" : "rhoai/odh-trustyai-nemo-guardrails-server-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-34070\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-34070\nhttps://github.com/langchain-ai/langchain/commit/27add913474e01e33bededf4096151130ba0d47c\nhttps://github.com/langchain-ai/langchain/releases/tag/langchain-core==1.2.22\nhttps://github.com/langchain-ai/langchain/security/advisories/GHSA-qh6h-p6c9-ff54" ],
  "name" : "CVE-2026-34070",
  "mitigation" : {
    "value" : "As described in the statement section, the vulnerable methods are legacy APIs and their use should be avoided. To mitigate this issue, the dumpd, dumps, load and loads methods from langchain_core.load should be used, as they supersede the legacy API and provide a more secure serialization model.",
    "lang" : "en:us"
  },
  "csaw" : false
}