CVE-2026-44843

Name of the Vulnerable Software and Affected Versions langchain versions prior to 0.3.27

Description LangChain contains runtime code paths that deserialize inputs, outputs, or other application-controlled payloads using overly broad object allowlists, specifically calling load() with allowed objects="all". This allows attacker-supplied serialized constructor dictionaries to instantiate trusted classes with untrusted arguments. This issue can lead to Server-Side Request Forgery (SSRF), enabling access to internal services, cloud metadata endpoints, or sensitive network resources, which may result in credential theft and persistent supply-chain compromise.

Applications are exposed if they accept untrusted structured input (such as JSON) without validation, preserve attacker-controlled nested dictionaries or lists in run data, and use affected API paths. Known affected surfaces include the RunnableWithMessageHistory class, the astream log() function, and the astream events(version="v1") function. Additionally, a secret-marker validation bypass in the is lc secret function allows constructor dictionaries to avoid escaping during dumps() to loads() round-trips.

Recommendations Update langchain to version 0.3.27. Migrate away from the deprecated RunnableWithMessageHistory class, astream log() function, and astream events(version="v1") function in favor of newer streaming and memory patterns, such as the stream API. Use load() and loads() only with trusted manifests or objects from trusted storage; do not pass user-controlled data to these functions. When using load() or loads(), provide a narrow allowed objects value instead of relying on broad defaults or allowed objects="all".