{"data":{"id":"017abd3b-28ae-45e3-b9f5-dbe910daae2a","title":"CVE-2026-40087: LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.84 and 1.2.28, LangChain's f-str","summary":"LangChain, a framework for building AI agents and applications powered by large language models, had a vulnerability in how it validated f-string templates (a Python feature for inserting variables into text strings). Before versions 0.3.84 and 1.2.28, certain template classes could accept and execute dangerous expressions that should have been blocked, including attribute access and nested replacement fields hidden in format specifiers, which could allow attackers to access unintended data or run unwanted code.","solution":"Update LangChain to version 0.3.84 or 1.2.28 or later, where the f-string validation has been fixed.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-40087","publishedAt":"2026-04-09T20:16:27.400Z","cveId":"CVE-2026-40087","cweIds":["CWE-1336"],"cvssScore":"5.3","cvssSeverity":"medium","severity":"medium","attackType":["prompt_injection"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["LangChain"],"affectedVendorsRaw":["LangChain"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","attackVector":"network","attackComplexity":"low","privilegesRequired":"none","userInteraction":"none","exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-04-09T20:16:27.400Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity"],"aiComponentTargeted":"framework","llmSpecific":true,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":["AML.T0051"]}}