AI agent frameworks are becoming the new attack vector of choice for cybercriminals. Three of the most widely used tools for building intelligent agents, LangGraph, Langflow, and LangChain, have recently been hit by vulnerabilities that allow remote code execution and sensitive data leakage. These are not complex exploits but classic bugs such as SQL injection, path traversal, and unsafe deserialization, which in this context have devastating reach because they lie at the heart of enterprise AI infrastructure.
The LangGraph attack chain: from SQL injection to full control
LangGraph, a framework for AI agent memory with over 50 million monthly downloads, was analyzed by Check Point Research. Yarden Porat discovered three vulnerabilities, two of which can be chained for remote code execution. The first, CVE-2025-67644 with a CVSS score of 7.3, is a SQL injection in the SQLite checkpointer. The function building the WHERE clause for checkpoint lookups drops user-controlled filter keys straight into the query with no parameterization. An attacker can then write a fabricated row into the checkpoint table. The second, CVE-2026-28277 with CVSS 6.8, exploits LangGraph's msgpack checkpoint decoder, which rebuilds Python objects from stored data. With write access to the checkpoint store, an attacker can import a module and call an arbitrary function, such as os.system. A third flaw, CVE-2026-27022 with CVSS 6.5, reaches the same result through the Redis checkpointer. The fixed versions are langgraph-checkpoint-sqlite 3.0.1, langgraph 1.0.10, and langgraph-checkpoint-redis 1.0.2.
Sponsored Protocol
Langflow: active attacks on 7,000 exposed servers
The situation for Langflow is even more critical. Vulnerability CVE-2026-5027, with CVSS 8.8, is a path traversal in the POST /api/v2/files endpoint. The filename is taken directly from form data without sanitization, allowing an attacker to write arbitrary files on the server, such as a cron job in /etc/cron.d/. Since Langflow enables auto-login by default, a single unauthenticated request can lead to code execution. VulnCheck confirmed active exploitation starting June 9, 2026, with Censys estimating roughly 7,000 exposed instances, mostly in North America. This is the third Langflow flaw to be actively exploited this year, after CVE-2025-34291, used by the Iranian state-sponsored group MuddyWater and added to CISA's Known Exploited Vulnerabilities catalog. The patch was released April 15 with version 1.9.0, but many have not applied it yet.
Sponsored Protocol
LangChain-core: prompt loader exposing API keys
LangChain-core, the foundation of the other two frameworks, has CVE-2026-34070 with CVSS 7.5, a path traversal in the legacy prompt-loading API. The load_prompt() function reads a path from a config dict without checking for traversal sequences, allowing an attacker to read arbitrary files, such as the .env file containing OpenAI and Anthropic API keys. Paired with this, CVE-2025-68664 with CVSS 9.3 is a deserialization flaw that resolves environment secrets through a crafted object. The fixed versions are langchain-core 1.2.22 and 0.3.86 for the first, and 1.2.5 and 0.3.81 for the second. Applying both patches is essential.
Sponsored Protocol
Why traditional scanners miss these threats
Merritt Baer, CSO at Enkrypt AI and former deputy CISO at AWS, explains that these vulnerabilities are not perceived as AI problems: "CISOs will experience MCP insecurity not in the abstract, but when an employee pastes sensitive data into a tool, or when an attacker finds an unauthenticated MCP server in your cloud." The flaws reside in imported frameworks, which firewalls and EDR tools do not adequately monitor. Assaf Keren, CSO at Qualtrics, highlights the classification error: "Most security teams still classify AI frameworks as 'productivity tools,' exposing them to enormous risk." Security teams must update their policies, treating these frameworks as critical components.
Sponsored Protocol
For further insights, see also the analysis on implications for SMEs in this article: Meta's AI Revolt, Thiel's Secret Society, SBF's Trump Plea. Additionally, the guide to No-Code & Low-Code offers perspectives on managing insecure frameworks. For broader context, see the Wikipedia page on computer security.
Source: https://venturebeat.com/security/7000-langflow-servers-under-attack-langgraph-langchain-same-holes
