{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40087", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-09T00:39:12.206Z", "datePublished": "2026-04-09T19:34:55.198Z", "dateUpdated": "2026-04-14T14:48:03.160Z"}, "containers": {"cna": {"title": "LangChain has incomplete f-string validation in prompt templates", "problemTypes": [{"descriptions": [{"cweId": "CWE-1336", "lang": "en", "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-926x-3r5x-gfhw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-926x-3r5x-gfhw"}, {"name": "https://github.com/langchain-ai/langchain/pull/36612", "tags": ["x_refsource_MISC"], "url": "https://github.com/langchain-ai/langchain/pull/36612"}, {"name": "https://github.com/langchain-ai/langchain/pull/36613", "tags": ["x_refsource_MISC"], "url": "https://github.com/langchain-ai/langchain/pull/36613"}, {"name": "https://github.com/langchain-ai/langchain/commit/6bab0ba3c12328008ddca3e0d54ff5a6151cd27b", "tags": ["x_refsource_MISC"], "url": "https://github.com/langchain-ai/langchain/commit/6bab0ba3c12328008ddca3e0d54ff5a6151cd27b"}, {"name": "https://github.com/langchain-ai/langchain/commit/af2ed47c6f008cdd551f3c0d87db3774c8dfe258", "tags": ["x_refsource_MISC"], "url": "https://github.com/langchain-ai/langchain/commit/af2ed47c6f008cdd551f3c0d87db3774c8dfe258"}, {"name": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.84", "tags": ["x_refsource_MISC"], "url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.84"}, {"name": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.28", "tags": ["x_refsource_MISC"], "url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.28"}], "affected": [{"vendor": "langchain-ai", "product": "langchain", "versions": [{"version": "< 0.3.83", "status": "affected"}, {"version": ">= 1.0.0a1, < 1.2.28", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T19:34:55.198Z"}, "descriptions": [{"lang": "en", "value": "LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.84 and 1.2.28, LangChain's f-string prompt-template validation was incomplete in two respects. First, some prompt template classes accepted f-string templates and formatted them without enforcing the same attribute-access validation as PromptTemplate. In particular, DictPromptTemplate and ImagePromptTemplate could accept templates containing attribute access or indexing expressions and subsequently evaluate those expressions during formatting. Second, f-string validation based on parsed top-level field names did not reject nested replacement fields inside format specifiers. In this pattern, the nested replacement field appears in the format specifier rather than in the top-level field name. As a result, earlier validation based on parsed field names did not reject the template even though Python formatting would still attempt to resolve the nested expression at runtime. This vulnerability is fixed in 0.3.84 and 1.2.28."}], "source": {"advisory": "GHSA-926x-3r5x-gfhw", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T14:47:52.978194Z", "id": "CVE-2026-40087", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:48:03.160Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40087", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T14:47:52.978194Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:47:57.170Z"}}], "cna": {"title": "LangChain has incomplete f-string validation in prompt templates", "source": {"advisory": "GHSA-926x-3r5x-gfhw", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "langchain-ai", "product": "langchain", "versions": [{"status": "affected", "version": "< 0.3.83"}, {"status": "affected", "version": ">= 1.0.0a1, < 1.2.28"}]}], "references": [{"url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-926x-3r5x-gfhw", "name": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-926x-3r5x-gfhw", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/langchain-ai/langchain/pull/36612", "name": "https://github.com/langchain-ai/langchain/pull/36612", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/langchain-ai/langchain/pull/36613", "name": "https://github.com/langchain-ai/langchain/pull/36613", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/langchain-ai/langchain/commit/6bab0ba3c12328008ddca3e0d54ff5a6151cd27b", "name": "https://github.com/langchain-ai/langchain/commit/6bab0ba3c12328008ddca3e0d54ff5a6151cd27b", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/langchain-ai/langchain/commit/af2ed47c6f008cdd551f3c0d87db3774c8dfe258", "name": "https://github.com/langchain-ai/langchain/commit/af2ed47c6f008cdd551f3c0d87db3774c8dfe258", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.84", "name": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.84", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.28", "name": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.28", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.84 and 1.2.28, LangChain's f-string prompt-template validation was incomplete in two respects. First, some prompt template classes accepted f-string templates and formatted them without enforcing the same attribute-access validation as PromptTemplate. In particular, DictPromptTemplate and ImagePromptTemplate could accept templates containing attribute access or indexing expressions and subsequently evaluate those expressions during formatting. Second, f-string validation based on parsed top-level field names did not reject nested replacement fields inside format specifiers. In this pattern, the nested replacement field appears in the format specifier rather than in the top-level field name. As a result, earlier validation based on parsed field names did not reject the template even though Python formatting would still attempt to resolve the nested expression at runtime. This vulnerability is fixed in 0.3.84 and 1.2.28."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1336", "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T19:34:55.198Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40087", "state": "PUBLISHED", "dateUpdated": "2026-04-14T14:48:03.160Z", "dateReserved": "2026-04-09T00:39:12.206Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-09T19:34:55.198Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:langchain:langchain_core:*:*:*:*:*:python:*:*", "matchCriteriaId": "0274A49C-E34C-4B49-B47F-025C54462E88", "versionEndExcluding": "0.3.84", "vulnerable": true}, {"criteria": "cpe:2.3:a:langchain:langchain_core:*:*:*:*:*:python:*:*", "matchCriteriaId": "199ECAF5-9D89-4DDC-B084-F3A9CC0A36AA", "versionEndExcluding": "1.2.28", "versionStartIncluding": "1.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.84 and 1.2.28, LangChain's f-string prompt-template validation was incomplete in two respects. First, some prompt template classes accepted f-string templates and formatted them without enforcing the same attribute-access validation as PromptTemplate. In particular, DictPromptTemplate and ImagePromptTemplate could accept templates containing attribute access or indexing expressions and subsequently evaluate those expressions during formatting. Second, f-string validation based on parsed top-level field names did not reject nested replacement fields inside format specifiers. In this pattern, the nested replacement field appears in the format specifier rather than in the top-level field name. As a result, earlier validation based on parsed field names did not reject the template even though Python formatting would still attempt to resolve the nested expression at runtime. This vulnerability is fixed in 0.3.84 and 1.2.28."}], "id": "CVE-2026-40087", "lastModified": "2026-04-16T20:48:43.747", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-09T20:16:27.400", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/langchain-ai/langchain/commit/6bab0ba3c12328008ddca3e0d54ff5a6151cd27b"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/langchain-ai/langchain/commit/af2ed47c6f008cdd551f3c0d87db3774c8dfe258"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/langchain-ai/langchain/pull/36612"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/langchain-ai/langchain/pull/36613"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.84"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.28"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-926x-3r5x-gfhw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1336"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "langchain: incomplete f-string validation in prompt templates", "id": "2457024", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457024"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-1336", "details": ["A flaw was found in LangChain. A missing validation of f-string prompt templates in some classes, specifically in `DictPromptTemplate` and `ImagePromptTemplate`, can cause the evaluation of attribute access or indexing expressions during template formatting. Also, f-string validation based on parsed top-level field names did not reject nested replacement fields inside format specifiers. A remote attacker can exploit this issue by providing a specially crafted prompt template, potentially leading to information disclosure."], "mitigation": {"lang": "en:us", "value": "To mitigate this vulnerability, validate and sanitize any user-supplied input before it is passed into a DictPromptTemplate or ImagePromptTemplate. Reject any input containing curly braces unless they are strictly necessary and controlled. Furthermore, strip or reject input strings that attempt to use nested replacement fields (e.g., fields hidden within format specifiers like {value:{nested_format}})."}, "name": "CVE-2026-40087", "package_state": [{"cpe": "cpe:/a:redhat:migration_toolkit_applications:8", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/art-images", "product_name": "Migration Toolkit for Applications 8"}, {"cpe": "cpe:/a:redhat:openshift_lightspeed", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/lightspeed-service", "product_name": "OpenShift Lightspeed"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/lightspeed-chatbot-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/lightspeed-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/bootc-cuda-3-3", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/bootc-cuda-disk-image-container-3-3", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/bootc-rocm-3-3", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-llama-stack-core-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-mlflow-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-trustyai-nemo-guardrails-server-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}], "public_date": "2026-04-09T19:34:55Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-40087\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-40087\nhttps://github.com/langchain-ai/langchain/commit/6bab0ba3c12328008ddca3e0d54ff5a6151cd27b\nhttps://github.com/langchain-ai/langchain/commit/af2ed47c6f008cdd551f3c0d87db3774c8dfe258\nhttps://github.com/langchain-ai/langchain/pull/36612\nhttps://github.com/langchain-ai/langchain/pull/36613\nhttps://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.84\nhttps://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.28\nhttps://github.com/langchain-ai/langchain/security/advisories/GHSA-926x-3r5x-gfhw"], "statement": "To exploit this vulnerability, an attacker needs to supply a specially crafted input to the `DictPromptTemplate` or `ImagePromptTemplate` classes. The payload must contain Python attribute access expressions (e.g., accessing internal object classes), which bypass the template validator and get executed by the underlying f-string formatter, potentially causing information disclosure. There is no memory corruption or arbitrary code execution. Due to these reasons, this flaw has been rated with a moderate severity.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.3.83)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[1.0.0a1,1.2.28)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "langchain", "source": "cna", "vendor": "langchain-ai"}, "product": "langchain", "vendor": "langchain-ai"}], "analysis": {"en": {"generated_at": "2026-04-09T22:29:31.644390+00:00", "value": {"mitigation_remediation": ["Upgrade langchain to version 0.3.84 or 1.2.28 or newer, where the f\u2011string validation bug is fixed.", "Validate any user\u2011supplied prompt templates using a whitelist or sandbox before rendering to prevent code execution.", "Restrict access to template creation endpoints so that only trusted users can supply template strings.", "Monitor application logs for unexpected template formatting errors or crashes that could indicate exploitation.", "Apply least\u2011privilege principles to the process that renders prompts to limit impact if an exploit occurs."], "summary": {"action": "Apply Patch", "impact": "Arbitrary code execution via f\u2011string evaluation"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to all installations of langchain\u2011ai/langchain released before core 0.3.84 and before 1.2.28. Any deployment that utilizes DictPromptTemplate or ImagePromptTemplate for dynamic prompt generation without upgrading to the patched versions remains vulnerable.", "description_and_impact": "LangChain, a Python framework for building agents and LLM\u2011powered applications, contains an incomplete validation of f\u2011string prompt templates in versions prior to 0.3.84 and 1.2.28. The bug allows DictPromptTemplate and ImagePromptTemplate to accept f\u2011string templates that contain attribute access or indexing expressions, and also fails to reject nested replacement fields inside format specifiers. Because Python\u2019s formatter evaluates these expressions at runtime, an attacker can embed arbitrary Python code in a prompt template and cause the application to execute it, corresponding to CWE\u20111336.", "risk_and_exploitability": "The CVSS base score of 5.3 indicates medium severity, and EPSS data is unavailable; the vulnerability is not listed in the CISA KEV catalog, suggesting limited known exploitation. The likely attack vector is local or insider, where an attacker can influence the prompt template that the application formats. Once a malicious template is processed, the injected expressions run with the process\u2019s privileges, posing a credible risk to applications that accept user\u2011generated prompts. This exploit path requires the attacker to provide a crafted prompt template to the application, which is typically available only through trusted or privileged input channels."}}}}, "created": "2026-04-10T08:38:49.647717+00:00", "updated": "2026-04-10T09:29:33.183576+00:00", "vendors": ["langchain-ai", "langchain-ai$PRODUCT$langchain"]}