SB2026050631 - Deserialization of Untrusted Data in LangChain

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026050631

SB2026050631 - Deserialization of Untrusted Data in LangChain

Published: May 6, 2026

Security Bulletin ID SB2026050631
CSH Severity
High
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

High 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Deserialization of Untrusted Data (CVE-ID: N/A)

The vulnerability allows a remote attacker to disclose sensitive information and manipulate application behavior.

The vulnerability exists due to unsafe deserialization in the load() deserialization logic when processing untrusted structured input that is later deserialized from LangChain run data. A remote attacker can submit crafted LangChain serialized constructor dictionaries to disclose sensitive information and manipulate application behavior.

Applications are exposed only if untrusted structured input is preserved in run inputs or outputs and later reaches affected runtime surfaces such as RunnableWithMessageHistory, astream_log(), or astream_events(version="v1").


Remediation

Install update from vendor's website.

References