What happened
LangChain versions prior to 1.3.9 contain multiple path-traversal and sandbox-escape flaws (CWE-22, CWE-59) in file-search agent middleware and document loaders. A file-search agent validates a starting directory but not the search pattern or symlink targets, so glob patterns and symlinks can reach files outside the configured root. Prompt- and chain/agent-configuration loaders accept path fields without confining resolution to a trusted base. Path-prefix authorization checks compare by string prefix without a path-segment boundary, allowing sibling paths sharing the prefix. When path values or workspace contents are influenced by an untrusted LLM-processed input, files outside the intended boundary can be disclosed. CVSS 5.1 Medium; published by GitHub CNA on 2026-06-22; fixed in 1.3.9.
Why it matters
LangChain is one of the most widely deployed LLM/agent frameworks. When an LLM agent processes untrusted data (from a document, web page, or user prompt) and passes path values to these components, an attacker can read arbitrary files from the agent's host — including secrets, SSH keys, and model weights — without any explicit vulnerability in the LLM itself. This is a concrete path from prompt injection to filesystem exfiltration.
Attack vector
An LLM agent processing untrusted input (document, prompt, or tool response) passes attacker-controlled path values or glob patterns to LangChain file-search or loader components, causing out-of-root file disclosure via path traversal or symlink following.
Affected systems
LangChain (langchain-ai/langchain) < 1.3.9
Mitigation
Upgrade to LangChain ≥ 1.3.9. Commit: https://github.com/langchain-ai/langchain/commit/dcaf7795a3e6590af55c3ff7bda6add6355e9ea6