SCA: security update for langchain, langchain-anthropic (GHSA-gr75-jv2w-4656)

medium Tenable Cloud Security Plugin ID 443300

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- LangChain is a framework for building agents and LLM-powered applications. Prior to 1.3.9, several
LangChain components that resolve filesystem paths or expand search patterns do not consistently confine
the resolved path to the intended root directory. Affected behaviors include: a file-search agent
middleware that validates a starting directory but not the search pattern or the resolved target of
matched files, so glob patterns and symlinks can reach files outside the configured root; prompt- and
chain/agent-configuration loaders that accept path fields and resolve them without confining the result to
a trusted base or rejecting symlink targets; and path-prefix authorization checks that compare by string
prefix without a path-segment boundary, so a sibling path sharing the prefix is accepted. When these
components receive path values, search patterns, or workspace contents influenced by an untrusted source —
including an LLM acting on untrusted input — the result can be disclosure of files outside the intended
boundary. This vulnerability is fixed in 1.3.9. (CVE-2026-55443)

Solution

Update the langchain library and its related packages to version 1.3.9 or later.

See Also

https://github.com/advisories/GHSA-gr75-jv2w-4656

Plugin Details

Severity: Medium

ID: 443300

Version: Revision 1.2

Type: Local

Family: SCA Checks

Published: 6/16/2026

Updated: 7/8/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.73

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4.6

Temporal Score: 3.4

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:N/A:N

CVSS Score Source: CVE-2026-55443

CVSS v3

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 6/16/2026

Vulnerability Publication Date: 6/16/2026

Reference Information

CVE: CVE-2026-55443