What is CVE-2026-40087?

CVE-2026-40087 is a medium-severity vulnerability in Langchain-ai Langchain, classified under Improper Neutralization of Special Elements Used in a Template Engine. CVSS score: 5.3/10. Published 2026-04-09.

How severe is CVE-2026-40087?

Medium severity. CVSS v3 base score is 5.3 out of 10.

Vulnerability in Langchain-ai Langchain

CVE-2026-40087

LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.84 and 1.2.28, LangChain's f-string prompt-template validation was incomplete in two respects. First, some prompt template classes accepted f-string te…

EPSS: 0.001 (17.4th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.

Affected products

Langchain-ai Langchain — versions < 0.3.83, >= 1.0.0a1, < 1.2.28

Weakness classification (CWE)

CWE-1336 — Improper Neutralization of Special Elements Used in a Template Engine

References

https://github.com/langchain-ai/langchain/security/advisories/GHSA-926x-3r5x-gfhw (x_refsource_CONFIRM)
https://github.com/langchain-ai/langchain/pull/36612 (x_refsource_MISC)
https://github.com/langchain-ai/langchain/pull/36613 (x_refsource_MISC)
https://github.com/langchain-ai/langchain/commit/6bab0ba3c12328008ddca3e0d54ff5a6151cd27b (x_refsource_MISC)
https://github.com/langchain-ai/langchain/commit/af2ed47c6f008cdd551f3c0d87db3774c8dfe258 (x_refsource_MISC)
https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.84 (x_refsource_MISC)
https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.28 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-40087?: CVE-2026-40087 is a medium-severity vulnerability in Langchain-ai Langchain, classified under Improper Neutralization of Special Elements Used in a Template Engine. CVSS score: 5.3/10. Published 2026-04-09.
How severe is CVE-2026-40087?: Medium severity. CVSS v3 base score is 5.3 out of 10.