GHSA-gr75-jv2w-4656: LangChain: Path traversal and sandbox escape in LangChain file-search middleware and loaders
Summary
LangChain has a path traversal vulnerability (a security flaw where attackers can access files outside an intended directory) in its file-search and configuration-loading components. These components don't properly validate that resolved file paths stay within their intended root directory, allowing attackers to use glob patterns (wildcards like *.txt), symlinks (shortcuts to files), or specially crafted path strings to access files they shouldn't. If an untrusted source, including an LLM, influences the paths or search patterns, attackers could read files outside the intended boundary.
Solution / Mitigation
The patches will canonicalize candidate paths (resolve symlinks to their actual targets) and verify the resolved real path stays within the configured root before reading files; normalize search patterns so they cannot escape the root; make configuration loaders confine resolved path fields and reject symlink escapes unless the caller explicitly enables dangerous loading; enforce path-segment boundaries in path-prefix checks; and make path validation work consistently across different operating systems. Callers that intentionally reference external paths can opt in via the existing dangerous-loading flag.
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://github.com/advisories/GHSA-gr75-jv2w-4656
First tracked: June 16, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 95%