LangGraph SDK has unsafe URL path construction
Description
LangGraph Python SDK versions ≤0.3.14 allow request path injection via unsanitized identifiers, causing potential resource access escalation. Fixed in 0.3.15.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
LangGraph Python SDK versions ≤0.3.14 allow request path injection via unsanitized identifiers, causing potential resource access escalation. Fixed in 0.3.15.
Vulnerability
The LangGraph Python SDK (langgraph-sdk) constructs HTTP request paths by interpolating caller-supplied identifier values into URL templates. Versions 0.3.14 and prior fail to sanitize these values before inclusion in the path. An identifier containing URL-special characters (e.g., ../) can alter the resulting request path, potentially addressing a different resource or resource type than the SDK method intended [1].
Exploitation
An attacker needs the ability to supply identifier values to SDK methods, typically via end-user input forwarded directly into SDK parameters without prior validation. No special network position is required beyond normal application access. By providing a crafted identifier (e.g., ../../other-resource/), the attacker causes the SDK to issue an HTTP request to a path the developer did not intend, effectively hijacking the operation [1].
Impact
Successful exploitation can lead to unintended access, modification, or deletion of LangGraph resources beyond the user's authorization scope. The impact is most severe in deployments relying on URL-prefix-based authorization (e.g., reverse proxy, WAF), where the authorization decision is made on the intended path rather than the manipulated final request path [1].
Mitigation
The issue was fixed in langgraph-sdk version 0.3.15, released on June 16, 2026, by percent-encoding caller-supplied identifiers in URL paths [2]. Users should upgrade to >=0.3.15. As a workaround, applications should validate identifier values (e.g., parse as UUID) before passing them to SDK methods; doing fully eliminates the attack surface [1]. No evidence of exploitation in the wild has been reported.
AI Insight generated on Jun 17, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=0.3.14
Patches
1e1aa1a4510f10.3.15
1 file changed · +1 −1
libs/langgraph/pyproject.toml+1 −1 modified@@ -1,6 +1,6 @@ [tool.poetry] name = "langgraph" -version = "0.3.14" +version = "0.3.15" description = "Building stateful, multi-actor applications with LLMs" authors = [] license = "MIT"
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2- github.com/langchain-ai/langgraph/releases/tag/sdk%3D%3D0.3.15mitrex_refsource_MISC
- github.com/langchain-ai/langgraph/security/advisories/GHSA-w39p-vh2g-g8g5mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.