CVE-2026-40087

CVE-2026-40087 is a medium-severity improper input validation vulnerability in langchain-core (pip), affecting versions < 0.3.83. It is fixed in 0.3.84, 1.2.28.

Summary

LangChain's f-string prompt-template validation was incomplete in two respects.

First, some prompt template classes accepted f-string templates and formatted them without enforcing the same attribute-access validation as PromptTemplate. In particular, DictPromptTemplate and ImagePromptTemplate could accept templates containing attribute access or indexing expressions and subsequently evaluate those expressions during formatting.

Examples of the affected shape include:

"{message.additional_kwargs[secret]}"
"https://example.com/{image.__class__.__name__}.png"

Second, f-string validation based on parsed top-level field names did not reject nested replacement fields inside format specifiers. For example:

"{name:{name.__class__.__name__}}"

In this pattern, the nested replacement field appears in the format specifier rather than in the top-level field name. As a result, earlier validation based on parsed field names did not reject the template even though Python formatting would still attempt to resolve the nested expression at runtime.

Affected usage

This issue is only relevant for applications that accept untrusted template strings, rather than only untrusted template variable values.

In addition, practical impact depends on what objects are passed into template formatting:

  • If applications only format simple values such as strings and numbers, impact is limited and may only result in formatting errors.
  • If applications format richer Python objects, attribute access and indexing may interact with internal object state during formatting.

In many deployments, these conditions are not commonly present together. Applications that allow end users to author arbitrary templates often expose only a narrow set of simple template variables, while applications that work with richer internal Python objects often keep template structure under developer control. As a result, the highest-impact scenario is plausible but is not representative of all LangChain applications.

Applications that use hardcoded templates or that only allow users to provide variable values are not affected by this issue.

Impact

The direct issue in DictPromptTemplate and ImagePromptTemplate allowed attribute access and indexing expressions to survive template construction and then be evaluated during formatting. When richer Python objects were passed into formatting, this could expose internal fields or nested data to prompt output, model context, or logs.

The nested format-spec issue is narrower in scope. It bypassed the intended validation rules for f-string templates, but in simple cases it results in an invalid format specifier error rather than direct disclosure. Accordingly, its practical impact is lower than that of direct top-level attribute traversal.

Overall, the practical severity depends on deployment. Meaningful confidentiality impact requires attacker control over the template structure itself, and higher impact further depends on the surrounding application passing richer internal Python objects into formatting.

The application does not adequately validate input before processing it, allowing unexpected values to reach sensitive code paths. Typical impact: varies by context: data corruption, logic bypass, or denial of service.

CVE-2026-40087 has a CVSS score of 5.3 (Medium). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.3.84, 1.2.28); upgrading removes the vulnerable code path.

Affected versions

langchain-core (< 0.3.83) langchain-core (>= 1.0.0a1, < 1.2.28)

Security releases

langchain-core → 0.3.84 (pip) langchain-core → 1.2.28 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

The fix consists of two changes.

First, LangChain now applies f-string safety validation consistently to DictPromptTemplate and ImagePromptTemplate, so templates containing attribute access or indexing expressions are rejected during construction and deserialization.

Second, LangChain now rejects nested replacement fields inside f-string format specifiers.

Concretely, LangChain validates parsed f-string fields and raises an error for:

  • variable names containing attribute access or indexing syntax such as . or []
  • format specifiers containing { or }

This blocks templates such as:

"{message.additional_kwargs[secret]}"
"https://example.com/{image.__class__.__name__}.png"
"{name:{name.__class__.__name__}}"

The fix preserves ordinary f-string formatting features such as standard format specifiers and conversions, including examples like:

"{value:.2f}"
"{value:>10}"
"{value!r}"

In addition, the explicit template-validation path now applies the same structural f-string checks before performing placeholder validation, ensuring that the security checks and validation checks remain aligned.

Frequently Asked Questions

  1. What is CVE-2026-40087? CVE-2026-40087 is a medium-severity improper input validation vulnerability in langchain-core (pip), affecting versions < 0.3.83. It is fixed in 0.3.84, 1.2.28. The application does not adequately validate input before processing it, allowing unexpected values to reach sensitive code paths.
  2. How severe is CVE-2026-40087? CVE-2026-40087 has a CVSS score of 5.3 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of langchain-core are affected by CVE-2026-40087? langchain-core (pip) versions < 0.3.83 is affected.
  4. Is there a fix for CVE-2026-40087? Yes. CVE-2026-40087 is fixed in 0.3.84, 1.2.28. Upgrade to this version or later.
  5. Is CVE-2026-40087 exploitable, and should I be worried? Whether CVE-2026-40087 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-40087 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-40087?
    • Upgrade langchain-core to 0.3.84 or later
    • Upgrade langchain-core to 1.2.28 or later

Other vulnerabilities in langchain-core

CVE-2026-44843CVE-2026-34070CVE-2026-26013CVE-2025-68664CVE-2025-65106

Stop the waste.
Protect your environment with Kodem.