Main Vulnerability Database Vulnerabilities #VU125665

Improper input validation in LangChain - #VU125665

Published: April 9, 2026

Vulnerability identifier: #VU125665

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: LangChain

Affected software:
LangChain

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper input validation in DictPromptTemplate and ImagePromptTemplate when processing untrusted f-string template strings during formatting. A remote attacker can supply a specially crafted template containing attribute access or indexing expressions to disclose sensitive information.

Only applications that accept untrusted template strings are affected, and practical impact depends on richer Python objects being passed into template formatting.

Remediation

Install security update from vendor's website.

Sources

https://github.com/langchain-ai/langchain/security/advisories/GHSA-926x-3r5x-gfhw

Improper input validation in LangChain - #VU125665

Detailed vulnerability description

Remediation

Sources

Please verify you're human