CVE-2026-40087: LangChain has incomplete f-string validation in prompt templates
(updated )
LangChain’s f-string prompt-template validation was incomplete in two respects.
First, some prompt template classes accepted f-string templates and formatted them without enforcing the same attribute-access validation as PromptTemplate. In particular, DictPromptTemplate and ImagePromptTemplate could accept templates containing attribute access or indexing expressions and subsequently evaluate those expressions during formatting.
Examples of the affected shape include:
"{message.additional_kwargs[secret]}"
"https://example.com/{image.__class__.__name__}.png"
Second, f-string validation based on parsed top-level field names did not reject nested replacement fields inside format specifiers. For example:
"{name:{name.__class__.__name__}}"
In this pattern, the nested replacement field appears in the format specifier rather than in the top-level field name. As a result, earlier validation based on parsed field names did not reject the template even though Python formatting would still attempt to resolve the nested expression at runtime.
References
- github.com/advisories/GHSA-926x-3r5x-gfhw
- github.com/langchain-ai/langchain
- github.com/langchain-ai/langchain/commit/6bab0ba3c12328008ddca3e0d54ff5a6151cd27b
- github.com/langchain-ai/langchain/commit/af2ed47c6f008cdd551f3c0d87db3774c8dfe258
- github.com/langchain-ai/langchain/pull/36612
- github.com/langchain-ai/langchain/pull/36613
- github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.84
- github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.28
- github.com/langchain-ai/langchain/security/advisories/GHSA-926x-3r5x-gfhw
- nvd.nist.gov/vuln/detail/CVE-2026-40087
Code Behaviors & Features
Detect and mitigate CVE-2026-40087 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →