Detections
Analytics
LangChain < 1.3.9 Path Traversal (CVE-2026-55443)
medium Nessus Plugin ID 322754
Synopsis
The remote host is affected by a path traversal vulnerability.Description
The version of LangChain installed on the remote host is prior to 1.3.9. It is, therefore, affected by a path traversal vulnerability:- Several LangChain components that resolve filesystem paths or expand search patterns do not consistently confine the resolved path to the intended root directory. Affected behaviors include a file-search agent middleware that validates a starting directory but not the search pattern or resolved target of matched files, prompt and chain/agent-configuration loaders that accept path fields and resolve them without confining the result to a trusted base, and path-prefix authorization checks that compare by string prefix without a path-segment boundary.
When these components receive path values influenced by an untrusted source, the result can be disclosure of files outside the intended boundary. (CVE-2026-55443)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Solution
Upgrade to LangChain version 1.3.9 or later.See Also
Plugin Details
Severity: Medium
ID: 322754
File Name: langchain_CVE-2026-55443.nasl
Version: 1.1
Type: Local
Agent: windows, macosx, unix
Family: Artificial Intelligence
Published: 6/25/2026
Updated: 6/25/2026
Configuration: Enable thorough checks (optional)
Supported Sensors: Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 6.1
CVSS v2
Risk Factor: Medium
Base Score: 4
Vector: CVSS2#AV:L/AC:H/Au:N/C:C/I:N/A:N
CVSS Score Source: CVE-2026-55443
CVSS v3
Risk Factor: Medium
Base Score: 5.1
Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Vulnerability Information
CPE: cpe:/a:langchain-ai:langchain
Required KB Items: installed_sw/LangChain
Patch Publication Date: 6/12/2026
Vulnerability Publication Date: 6/12/2026
Reference Information
CVE: CVE-2026-55443