{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40087", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-09T00:39:12.206Z", "datePublished": "2026-04-09T19:34:55.198Z", "dateUpdated": "2026-04-14T14:48:03.160Z"}, "containers": {"cna": {"title": "LangChain has incomplete f-string validation in prompt templates", "problemTypes": [{"descriptions": [{"cweId": "CWE-1336", "lang": "en", "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-926x-3r5x-gfhw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-926x-3r5x-gfhw"}, {"name": "https://github.com/langchain-ai/langchain/pull/36612", "tags": ["x_refsource_MISC"], "url": "https://github.com/langchain-ai/langchain/pull/36612"}, {"name": "https://github.com/langchain-ai/langchain/pull/36613", "tags": ["x_refsource_MISC"], "url": "https://github.com/langchain-ai/langchain/pull/36613"}, {"name": "https://github.com/langchain-ai/langchain/commit/6bab0ba3c12328008ddca3e0d54ff5a6151cd27b", "tags": ["x_refsource_MISC"], "url": "https://github.com/langchain-ai/langchain/commit/6bab0ba3c12328008ddca3e0d54ff5a6151cd27b"}, {"name": "https://github.com/langchain-ai/langchain/commit/af2ed47c6f008cdd551f3c0d87db3774c8dfe258", "tags": ["x_refsource_MISC"], "url": "https://github.com/langchain-ai/langchain/commit/af2ed47c6f008cdd551f3c0d87db3774c8dfe258"}, {"name": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.84", "tags": ["x_refsource_MISC"], "url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.84"}, {"name": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.28", "tags": ["x_refsource_MISC"], "url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.28"}], "affected": [{"vendor": "langchain-ai", "product": "langchain", "versions": [{"version": "< 0.3.83", "status": "affected"}, {"version": ">= 1.0.0a1, < 1.2.28", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T19:34:55.198Z"}, "descriptions": [{"lang": "en", "value": "LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.84 and 1.2.28, LangChain's f-string prompt-template validation was incomplete in two respects. First, some prompt template classes accepted f-string templates and formatted them without enforcing the same attribute-access validation as PromptTemplate. In particular, DictPromptTemplate and ImagePromptTemplate could accept templates containing attribute access or indexing expressions and subsequently evaluate those expressions during formatting. Second, f-string validation based on parsed top-level field names did not reject nested replacement fields inside format specifiers. In this pattern, the nested replacement field appears in the format specifier rather than in the top-level field name. As a result, earlier validation based on parsed field names did not reject the template even though Python formatting would still attempt to resolve the nested expression at runtime. This vulnerability is fixed in 0.3.84 and 1.2.28."}], "source": {"advisory": "GHSA-926x-3r5x-gfhw", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T14:47:52.978194Z", "id": "CVE-2026-40087", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:48:03.160Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40087", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T14:47:52.978194Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:47:57.170Z"}}], "cna": {"title": "LangChain has incomplete f-string validation in prompt templates", "source": {"advisory": "GHSA-926x-3r5x-gfhw", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "langchain-ai", "product": "langchain", "versions": [{"status": "affected", "version": "< 0.3.83"}, {"status": "affected", "version": ">= 1.0.0a1, < 1.2.28"}]}], "references": [{"url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-926x-3r5x-gfhw", "name": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-926x-3r5x-gfhw", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/langchain-ai/langchain/pull/36612", "name": "https://github.com/langchain-ai/langchain/pull/36612", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/langchain-ai/langchain/pull/36613", "name": "https://github.com/langchain-ai/langchain/pull/36613", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/langchain-ai/langchain/commit/6bab0ba3c12328008ddca3e0d54ff5a6151cd27b", "name": "https://github.com/langchain-ai/langchain/commit/6bab0ba3c12328008ddca3e0d54ff5a6151cd27b", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/langchain-ai/langchain/commit/af2ed47c6f008cdd551f3c0d87db3774c8dfe258", "name": "https://github.com/langchain-ai/langchain/commit/af2ed47c6f008cdd551f3c0d87db3774c8dfe258", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.84", "name": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.84", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.28", "name": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.28", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.84 and 1.2.28, LangChain's f-string prompt-template validation was incomplete in two respects. First, some prompt template classes accepted f-string templates and formatted them without enforcing the same attribute-access validation as PromptTemplate. In particular, DictPromptTemplate and ImagePromptTemplate could accept templates containing attribute access or indexing expressions and subsequently evaluate those expressions during formatting. Second, f-string validation based on parsed top-level field names did not reject nested replacement fields inside format specifiers. In this pattern, the nested replacement field appears in the format specifier rather than in the top-level field name. As a result, earlier validation based on parsed field names did not reject the template even though Python formatting would still attempt to resolve the nested expression at runtime. This vulnerability is fixed in 0.3.84 and 1.2.28."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1336", "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T19:34:55.198Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40087", "state": "PUBLISHED", "dateUpdated": "2026-04-14T14:48:03.160Z", "dateReserved": "2026-04-09T00:39:12.206Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-09T19:34:55.198Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.84 and 1.2.28, LangChain's f-string prompt-template validation was incomplete in two respects. First, some prompt template classes accepted f-string templates and formatted them without enforcing the same attribute-access validation as PromptTemplate. In particular, DictPromptTemplate and ImagePromptTemplate could accept templates containing attribute access or indexing expressions and subsequently evaluate those expressions during formatting. Second, f-string validation based on parsed top-level field names did not reject nested replacement fields inside format specifiers. In this pattern, the nested replacement field appears in the format specifier rather than in the top-level field name. As a result, earlier validation based on parsed field names did not reject the template even though Python formatting would still attempt to resolve the nested expression at runtime. This vulnerability is fixed in 0.3.84 and 1.2.28."}], "id": "CVE-2026-40087", "lastModified": "2026-04-13T15:02:27.760", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-09T20:16:27.400", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/langchain-ai/langchain/commit/6bab0ba3c12328008ddca3e0d54ff5a6151cd27b"}, {"source": "security-advisories@github.com", "url": "https://github.com/langchain-ai/langchain/commit/af2ed47c6f008cdd551f3c0d87db3774c8dfe258"}, {"source": "security-advisories@github.com", "url": "https://github.com/langchain-ai/langchain/pull/36612"}, {"source": "security-advisories@github.com", "url": "https://github.com/langchain-ai/langchain/pull/36613"}, {"source": "security-advisories@github.com", "url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.84"}, {"source": "security-advisories@github.com", "url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.28"}, {"source": "security-advisories@github.com", "url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-926x-3r5x-gfhw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1336"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "langchain: incomplete f-string validation in prompt templates", "id": "2457024", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457024"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-1336", "details": ["A flaw was found in LangChain. A missing validation of f-string prompt templates in some classes, specifically in `DictPromptTemplate` and `ImagePromptTemplate`, can cause the evaluation of attribute access or indexing expressions during template formatting. Also, f-string validation based on parsed top-level field names did not reject nested replacement fields inside format specifiers. A remote attacker can exploit this issue by providing a specially crafted prompt template, potentially leading to information disclosure."], "mitigation": {"lang": "en:us", "value": "To mitigate this vulnerability, validate and sanitize any user-supplied input before it is passed into a DictPromptTemplate or ImagePromptTemplate. Reject any input containing curly braces unless they are strictly necessary and controlled. Furthermore, strip or reject input strings that attempt to use nested replacement fields (e.g., fields hidden within format specifiers like {value:{nested_format}})."}, "name": "CVE-2026-40087", "package_state": [{"cpe": "cpe:/a:redhat:migration_toolkit_applications:8", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/art-images", "product_name": "Migration Toolkit for Applications 8"}, {"cpe": "cpe:/a:redhat:openshift_lightspeed", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/lightspeed-service", "product_name": "OpenShift Lightspeed"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/lightspeed-chatbot-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/lightspeed-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/bootc-cuda-3-3", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/bootc-cuda-disk-image-container-3-3", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "redhat-user-workloads/bootc-rocm-3-3", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-llama-stack-core-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-mlflow-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-trustyai-nemo-guardrails-server-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}], "public_date": "2026-04-09T19:34:55Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-40087\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-40087\nhttps://github.com/langchain-ai/langchain/commit/6bab0ba3c12328008ddca3e0d54ff5a6151cd27b\nhttps://github.com/langchain-ai/langchain/commit/af2ed47c6f008cdd551f3c0d87db3774c8dfe258\nhttps://github.com/langchain-ai/langchain/pull/36612\nhttps://github.com/langchain-ai/langchain/pull/36613\nhttps://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.84\nhttps://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.28\nhttps://github.com/langchain-ai/langchain/security/advisories/GHSA-926x-3r5x-gfhw"], "statement": "To exploit this vulnerability, an attacker needs to supply a specially crafted input to the `DictPromptTemplate` or `ImagePromptTemplate` classes. The payload must contain Python attribute access expressions (e.g., accessing internal object classes), which bypass the template validator and get executed by the underlying f-string formatter, potentially causing information disclosure. There is no memory corruption or arbitrary code execution. Due to these reasons, this flaw has been rated with a moderate severity.", "threat_severity": "Moderate"}