CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-gr75-jv2w-4656: LangChain: Path traversal and sandbox escape in LangChain file-search middleware and loaders

mediumCVSS 5.1CVE-2026-55443
Summary Several LangChain components that resolve filesystem paths or expand search patterns do not consistently confine the *resolved* path to the intended root directory. Affected behaviors include: a file-search agent middleware that validates a starting directory but not the search pattern or the resolved target of matched files, so glob patterns and symlinks can reach files outside the configured root; prompt- and chain/agent-configuration loaders that accept path fields and resolve them without confining the result to a trusted base or rejecting symlink targets; and path-prefix authorization checks that compare by string prefix without a path-segment boundary, so a sibling path sharing the prefix is accepted. When these components receive path values, search patterns, or workspace contents influenced by an untrusted source — including an LLM acting on untrusted input — the result can be disclosure of files outside the intended boundary. We have no evidence of this behavior being triggered in the wild. Affected users / systems You may be affected if you expose an agent with filesystem-search middleware over a directory and accept prompts or retrieved content influenced by untrusted sources; load prompt or chain/agent configuration from untrusted or shared sources; or rely on path-prefix restrictions to confine tool file access. Callers that confine these components to fully trusted inputs and first-party configuration are not affected. Impact - Confidentiality: disclosure of file contents outside the intended root/sandbox. - Authorization: path-prefix bypass can grant access to sibling resources beyond the intended subtree. Patches / mitigation The affected components will canonicalize candidate paths (resolving symlinks) and verify the resolved real path remains within the configured root before reading or returning it; search patterns will be normalized so they cannot escape the root; configuration loaders will confine resolved path fields and reject s

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
medium — CVSS 5.1
Published
2026-06-16
Last updated
2026-07-08
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-gr75-jv2w-4656

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-55443coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories