CVE-2026-44843: LangChain vulnerable to unsafe deserialization of attacker-controlled objects through overly broad `load()` allowlists

LangChain contains older runtime code paths that deserialize run inputs, run outputs, or other application-controlled payloads using overly broad object allowlists. These paths may call load() with allowed_objects="all". This does not enable arbitrary Python object deserialization, but it does allow any trusted LangChain-serializable object to be revived, which is broader than these runtime paths require. As a result, attacker-supplied LangChain serialized constructor dictionaries may cause trusted runtime paths to instantiate classes with untrusted constructor arguments.

Applications are exposed only when all of the following are true:

1. The application accepts untrusted structured input, such as JSON, from a user or network request.
2. The application does not validate or canonicalize that input into an inert schema before invoking LangChain.
3. Attacker-controlled nested dictionaries or lists are preserved in LangChain run inputs or outputs.
4. The application uses an affected API path that later deserializes that run data.

Known affected runtime surfaces include:

• RunnableWithMessageHistory
• astream_log()
• astream_events(version="v1")

Related unsafe deserialization patterns may also affect applications that explicitly load serialized LangChain prompt or runnable objects from untrusted sources, including shared prompt stores, Hub artifacts with model configuration, or other application-controlled serialization stores.

Applications that validate incoming requests against a fixed schema, such as coercing user input to a plain string or message-content field before invoking LangChain, are unlikely to expose this deserialization primitive.

This release also fixes a related secret-marker validation bypass in the serialization and deserialization layer (_is_lc_secret). That issue creates an additional path by which attacker-controlled constructor dictionaries can avoid escaping during dumps() -> loads() round-trips and reach LangChain object revival logic.