CVE-2026-44843
Received Received - Intake
Deserialization Flaw in LangChain Framework

Publication date: 2026-05-26

Last updated on: 2026-05-26

Assigner: GitHub, Inc.

Description
LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.85 and 1.3.3, LangChain contains older runtime code paths that deserialize run inputs, run outputs, or other application-controlled payloads using overly broad object allowlists. These paths may call load() with allowed_objects="all". This does not enable arbitrary Python object deserialization, but it does allow any trusted LangChain-serializable object to be revived, which is broader than these runtime paths require. As a result, attacker-supplied LangChain serialized constructor dictionaries may cause trusted runtime paths to instantiate classes with untrusted constructor arguments. This vulnerability is fixed in 0.3.85 and 1.3.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-26
Generated
2026-05-27
AI Q&A
2026-05-27
EPSS Evaluated
N/A
NVD
CVE-2026-44843
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
langchain langchain 0.3.85
langchain langchain 1.3.3
langchain langchain to 0.3.85|end_excluding=1.3.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in LangChain versions prior to 0.3.85 and 1.3.3. It involves older runtime code paths that deserialize inputs, outputs, or other payloads using overly broad object allowlists. Specifically, these paths may call a load() function with allowed_objects set to "all", which allows any trusted LangChain-serializable object to be revived.

While this does not enable arbitrary Python object deserialization, it does allow attacker-supplied serialized constructor dictionaries to cause trusted runtime paths to instantiate classes with untrusted constructor arguments. This means an attacker can influence the creation of objects in a way that was not intended, potentially leading to unexpected behavior.

The vulnerability is fixed in LangChain versions 0.3.85 and 1.3.3.


How can this vulnerability impact me? :

This vulnerability can impact you by allowing an attacker to supply specially crafted serialized data that causes the application to instantiate classes with untrusted constructor arguments. This can lead to unintended behavior within the application, potentially compromising the integrity of the runtime environment.

According to the CVSS score of 8.2, the vulnerability has a high severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. It can cause high confidentiality impact and low integrity impact, but no availability impact.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade LangChain to version 0.3.85 or 1.3.3 or later, where the issue with overly broad object allowlists in deserialization paths has been fixed.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart