External risk intelligence

LangGraph SDK Unsanitized URL Path Traversal.

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-48776

The LangGraph Python SDK is a client-side library, not an internet-facing service or appliance. Exposure depends entirely on how developers integrate it. It is only accessible if a developer's application insecurely passes unsanitized, user-controlled input directly into SDK methods. Because this requires specific application-level design flaws, it is not a default internet-accessible surface.

Path Traversal

Langchain Langgraph Sdk

before 0.3.15

Halo Surface Signal: 2 out of 5 — less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in the LangGraph Python SDK could allow unintended access to resources when processing identifiers from untrusted sources. This issue is most impactful in deployments that forward end-user-supplied values directly into SDK identifier parameters without validation and rely on upstream URL-based authorization. The problem has been addressed in version 0.3.15.

  • Unsafe URL construction allows unauthorized resource access.
  • Critical if untrusted input bypasses upstream authorization.
  • Confirm if untrusted input is forwarded to SDKs.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this by sending specially crafted inputs to an application that uses the vulnerable SDK. If the application does not sanitize these inputs before passing them to the SDK, the attacker's input could manipulate the URL path of an HTTP request. This could cause the request to target unintended resources on the server, potentially leading to unauthorized access, modification, or deletion of data.

  • Application accepts untrusted input.
  • SDK constructs URL with unsanitized input.
  • Unintended resource access or modification.

Live Threat

Current exploitation, exposure, and threat context

Unsanitized identifier values in LangGraph Python SDK requests could allow an attacker to access, modify, or delete resources beyond their intended scope. This could occur when end-user-supplied values are forwarded directly into SDK identifier parameters without proper validation, and when upstream authorization relies solely on the intended URL path.

  • Risk to arbitrary resource access.
  • Unsanitized input leads to URL manipulation.
  • Unauthorized data modification or deletion.

Operational Fix

Recommended remediation, mitigation, and detection steps

Application owners and platform teams are likely responsible for addressing this vulnerability in the LangGraph Python SDK, especially in deployments where end-user input is directly passed to SDK identifier parameters without prior validation. The immediate practical step is to identify all instances of the affected SDK, determine their reachability and criticality, and then confirm the accountable owner before planning a risk-based remediation.

  • Identify affected application instances.
  • Verify untrusted input exposure.
  • Coordinate vendor fix deployment.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the LangGraph Python SDK?

The LangGraph Python SDK is a library developers use to build applications that communicate with LangGraph API servers. It simplifies managing tasks like interacting with AI assistants, handling conversation threads, and streaming data runs. Developers integrate this SDK into their own Python code to act as a client, effectively bridging their application logic with the backend services that power LangGraph workflows.

What does CWE-22 and CWE-863 mean for CVE-2026-48776?

These codes identify weaknesses in how the software handles data. CWE-22 (Path Traversal) involves improper restriction of file or directory paths, while CWE-863 (Incorrect Authorization) relates to flaws in access control. In this CVE, the SDK fails to clean user-provided identifiers, allowing special characters to manipulate URL paths. This can trick the system into interacting with unintended resources, effectively bypassing the security boundaries intended to restrict user access.

How can an attacker trigger this vulnerability?

An attacker triggers this by supplying malicious identifier values to an application that uses the vulnerable SDK. If the application passes these inputs directly into SDK methods without checking them, the SDK constructs an altered URL path. This bug does not trigger if the application validates inputs—such as ensuring they match a specific format like a UUID—before passing them to the SDK, as the malicious characters are stripped or rejected before they can manipulate the request path.

Do I need to worry about this if my app is internal?

According to Halo Surface Signal, this SDK is a client-side library, not a standalone service, so risk depends on your specific code. You should be concerned if your application takes input from untrusted sources—like end-users—and passes it to the SDK without sanitization. If your application logic relies on a reverse proxy for authorization, that proxy might be bypassed because the request path changes after the proxy checks it, even if the application is not directly internet-facing.

How do I fix the CVE-2026-48776 issue in my code?

The primary fix is to update the LangGraph Python SDK to version 0.3.15 or later, which addresses the unsafe URL construction. Beyond updating the library, you should audit your code to ensure that any identifier values originating from users are strictly validated against an expected format, such as a UUID, before being passed to SDK methods. This two-layer approach ensures that even if inputs are complex, they cannot be used to manipulate underlying API requests.

References