CVE-2026-44843

high

Published 2026-05-26 · Modified 2026-05-29

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

8.2

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CVSS v4 NEW

—

not yet in upstream

VIR risk

8.2

Description

LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.85 and 1.3.3, LangChain contains older runtime code paths that deserialize run inputs, run outputs, or other application-controlled payloads using overly broad object allowlists. These paths may call load() with allowed_objects="all". This does not enable arbitrary Python object deserialization, but it does allow any trusted LangChain-serializable object to be revived, which is broader than these runtime paths require. As a result, attacker-supplied LangChain serialized constructor dictionaries may cause trusted runtime paths to instantiate classes with untrusted constructor arguments. This vulnerability is fixed in 0.3.85 and 1.3.3.

Predictions

Exploit likelihood

88%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

community-verified Authored 2026-05-29

{**Immediate action:** Upgrade to patched versions: ```bash pip install --upgrade langchain>=0.3.85 langchain-core>=0.3.85 # For 1.x users pip install --upgrade langchain>=1.3.3 ``` **Interim workaround** if upgrade is blocked: ensure `load()` is never called on untrusted input. Wrap deserialization with input validation: ```python from langchain.load import loads def safe_load(data: str, allowed_namespaces: list[str]): obj = loads(data) if not obj.get("id", [None])[0] in allowed_namespaces: raise ValueError("Untrusted namespace") return obj ``` Audit any custom callback handlers or tool wrappers that deserialize agent state. **Rollback:** downgrade carries the vulnerability; test upgraded version in staging with full agent workflows before production deployment.}

Package impact

Ecosystem	Package	Vulnerable	Fixed
PyPI	langchain-core	`>=1.0.0,<1.3.3`	`1.3.3`
PyPI	langchain-core	`<0.3.85`	`0.3.85`
PIP	langchain-core	`<= 0.3.84`	`0.3.85`
PIP	langchain-core	`>= 1.0.0, <= 1.3.2`	`1.3.3`

Application impact

Vendor	Product	Versions	Fixed
langchain	langchain	`{"endExcluding":"0.3.85"}`	`0.3.85`
langchain	langchain	`{"startIncluding":"1.0.0","endExcluding":"1.3.3"}`	`1.3.3`

References

CWEs

CWE-502

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.