CVE-2024-8309 MEDIUM

CVE-2024-8309: SQL Injection in langchain-ai/langchain

Vendor Langchain-Ai
Product langchain-ai/langchain
Weakness CWE-89 · SQLi
Published October 29, 2024
Last update October 15, 2025

CVSS base score

4.9/10
Attack vector Local
Attack complexity High
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

A vulnerability in the GraphCypherQAChain class of langchain-ai/langchain version 0.2.5 allows for SQL injection through prompt injection. This vulnerability can lead to unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database.

Key dates

02Disclosure timeline

October 29, 2024 CVE published
October 15, 2025 Record updated