Pypi · Langchain · CVE-2026-44843
**Name of the Vulnerable Software and Affected Versions**
langchain versions prior to 0.3.27
**Description**
LangChain contains runtime code paths that deserialize inputs, outputs, or other application-controlled payloads using overly broad object allowlists, specifically calling `load()` with `allowed objects="all"`. This allows attacker-supplied serialized constructor dictionaries to instantiate trusted classes with untrusted arguments. This issue can lead to Server-Side Request Forgery (SSRF), enabling access to internal services, cloud metadata endpoints, or sensitive network resources, which may result in credential theft and persistent supply-chain compromise.
Applications are exposed if they accept untrusted structured input (such as JSON) without validation, preserve attacker-controlled nested dictionaries or lists in run data, and use affected API paths. Known affected surfaces include the `RunnableWithMessageHistory` class, the `astream log()` function, and the `astream events(version="v1")` function. Additionally, a secret-marker validation bypass in the ` is lc secret` function allows constructor dictionaries to avoid escaping during `dumps()` to `loads()` round-trips.
**Recommendations**
Update langchain to version 0.3.27.
Migrate away from the deprecated `RunnableWithMessageHistory` class, `astream log()` function, and `astream events(version="v1")` function in favor of newer streaming and memory patterns, such as the `stream` API.
Use `load()` and `loads()` only with trusted manifests or objects from trusted storage; do not pass user-controlled data to these functions.
When using `load()` or `loads()`, provide a narrow `allowed objects` value instead of relying on broad defaults or `allowed objects="all"`.