Executive Summary

CVE-2026-55443 is a vulnerability in LangChain components that handle filesystem paths or expand search patterns. These components fail to consistently restrict resolved paths to the intended root directory, which can allow path traversal or sandbox escape.

Specifically, a file-search agent middleware validates only the starting directory but not the search patterns or resolved file targets, allowing glob patterns and symlinks to access files outside the configured root. Additionally, loaders that accept path fields do not confine results to a trusted base or reject symlink targets, and path-prefix authorization checks compare by string prefix without enforcing path-segment boundaries, which can mistakenly accept sibling paths sharing the prefix.

When these components receive path values, search patterns, or workspace contents influenced by untrusted sources (such as an LLM acting on untrusted input), they may disclose files outside the intended boundary.

This vulnerability affects LangChain versions up to 1.3.8 and langchain-anthropic versions up to 1.4.5 and is fixed in versions 1.3.9 and 1.4.6 respectively.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of files outside the intended root directory when untrusted input influences path values or search patterns.

An attacker with local access and the ability to influence inputs to LangChain components could exploit this to access sensitive files or data that should be confined within a restricted directory.

The impact is limited by the requirement for local access and high attack complexity, but it does not require privileges or user interaction.

Users of affected LangChain versions may experience data leakage or exposure of files outside intended boundaries, potentially compromising confidentiality.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves path traversal and sandbox escape issues in LangChain components that resolve filesystem paths or expand search patterns. Detection involves checking if file-search operations or loaders are resolving paths outside their intended root directories, especially when influenced by untrusted input.

To detect potential exploitation or presence of this vulnerability, you can:

• Review logs or outputs of LangChain file-search agents or loaders for any resolved paths that lie outside the configured root directory.
• Check for usage of glob patterns containing '..', absolute paths, or '~' which are indicators of path traversal attempts.
• Use commands to find symlinks or files outside expected directories that might be accessed by LangChain components.

Example commands to assist detection (assuming a Unix-like system):

• Find symlinks in the workspace directory: `find /path/to/workspace -type l -ls`
• Search for files outside the intended root that might be accessed: `find / -path '/path/to/workspace/*' -prune -o -type f -print`
• Audit usage of glob patterns or configurations that include '..' or absolute paths in LangChain settings or logs.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, you should:

• Upgrade LangChain to version 1.3.9 or later, or langchain-anthropic to version 1.4.6 or later, where the vulnerability is fixed.
• Confine filesystem-backed agents to dedicated directories to limit the scope of accessible files.
• Validate and sanitize all input paths, search patterns, and workspace contents, especially those influenced by untrusted sources such as LLM prompts.
• Avoid enabling loading or execution of configurations or prompts from untrusted sources that can influence path resolution.
• Apply patches or updates that enforce path canonicalization, symlink resolution checks, and stricter path-prefix validation.

Useful 0 Not Useful 0