Langflow, LangGraph, LangChain get exploited via basic bugs, not “AI risk”

Your AI agent didn’t mysteriously “break.” The frameworks underneath it turned old, ordinary vulnerabilities into remote code execution. Check Point Research found a SQL injection in LangGraph’s SQLite checkpointer that chains to full remote code execution, while VulnCheck tracked a path traversal in Langflow’s file upload endpoint that leads to a shell. Cyera documented another path traversal in LangChain-core’s prompt loader that can read secrets off disk. Same bug class energy. Different frameworks. Same outcome: a way in.

The pattern is more urgent than it sounds because it is happening in the parts teams tend to treat as plumbing. LangGraph’s checkpointer is meant to store agent state. Langflow’s /api/v2/files endpoint is meant to accept uploads. LangChain-core’s load_prompt is meant to load prompt configs. In each case, the application boundary is the place where attacker-controlled inputs meet sensitive data, like OpenAI keys, database credentials, and CRM tokens. The researchers’ details show how those boundaries fail: once an attacker can reach the right endpoint or import the right prompt, the “AI agent” becomes the delivery mechanism for the breach.

Start with the LangGraph chain, because it maps to production deployments teams have quietly scaled. LangGraph gives AI agents memory through checkpointers, the persistence layer that stores execution state, and it has cleared over 50 million downloads a month. Yarden Porat of Check Point Research took that layer apart and found three vulnerabilities. Two chain to remote code execution. CVE-2025-67644 (CVSS 7.3) is a SQL injection in the SQLite checkpointer. The function that builds the WHERE clause for checkpoint lookups drops user-controlled filter keys into the query with no parameterization and no escaping. Where it hits, it is serious. A deployment is exposed when it self-hosts LangGraph on the SQLite or Redis checkpointer and lets untrusted input reach get_state_history() or a similar history endpoint. An attacker who controls the filter can write a fabricated row into the checkpoint table.

Then CVE-2026-28277 (CVSS 6.8) finishes the job through the msgpack checkpoint decoder. LangGraph rebuilds Python objects from stored data, which lets it import a module and call a named function with attacker-supplied arguments. That step needs write access to the checkpoint store, which the SQL injection grants remotely. LangGraph loads the forged row as a legitimate checkpoint, the decoder runs the specified function, including os.system, and code executes under the identity of the agent server. A third issue, CVE-2026-27022 (CVSS 6.5), reaches the same place through the Redis checkpointer. Check Point notes there has been no confirmed exploitation in the wild yet. A working proof-of-concept is public in their disclosure. Fixes are version bumps: langgraph-checkpoint-sqlite to 3.0.1, langgraph to 1.0.10, and langgraph-checkpoint-redis to 1.0.2.

Now the Langflow chain, which is already getting exploited. CVE-2026-5027 (CVSS 8.8) is a path traversal in the POST /api/v2/files endpoint, which takes the filename straight from the form data and writes it to disk unsanitized. An attacker packs traversal sequences into the filename and drops a file anywhere, such as a cron job in /etc/cron.d/. Langflow ships with auto-login enabled in its default configuration, so an exposed instance needs no credentials at all. One unauthenticated request reaches the endpoint. The next cron run hands over a shell.

VulnCheck’s Caitlin Condon confirmed exploitation on June 9: “Our Canaries observed exploitation of CVE-2026-5027 that successfully leveraged the path traversal to write what appear to be test files on victim systems.” Censys put roughly 7,000 exposed instances on the internet, most in North America. This is the third Langflow flaw to draw active exploitation this year, after CVE-2025-34291. In that earlier case, the Iranian state-sponsored group MuddyWater weaponized the bug, and CISA added CVE-2025-34291 to its Known Exploited Vulnerabilities catalog in May. CVE-2026-5027 itself was patched in version 1.9.0 on April 15. Attacks started in June, and VulnCheck added CVE-2026-5027 to its exploited-vulnerabilities list June 8 after sensors caught the first in-the-wild hits. Every instance left unpatched between April 15 and those June events was exposed for almost two months.

Finally, the LangChain-core gap shows how the secrets you care about can be pulled without triggering any “AI” alarms. LangChain-core is the foundation under both LangGraph and Langflow. Cyera disclosed CVE-2026-34070 (CVSS 7.5), a path traversal in its legacy prompt-loading API. The load_prompt() functions read a file path out of a config dict with no check against traversal sequences or absolute paths. With attacker influence over that path, the attacker can read arbitrary files the process can reach, including the.env file holding OPENAI_API_KEY and ANTHROPIC_API_KEY. Cyera paired it with CVE-2025-68664 (CVSS 9.3), a deserialization flaw that resolves environment secrets through a crafted object. The fix versions differ, which matters when patching: CVE-2026-34070 lands in langchain-core 1.2.22 and 0.3.86. CVE-2025-68664 lands earlier in 1.2.5 and 0.3.81. Clear both, because the higher-severity flaw can stay live behind a partially applied patch.

None of this is a frontier-model problem. It is plumbing. Path traversal, SQL injection, unsafe deserialization. The same appsec bugs, living inside new infrastructure. And that mismatch explains why scanners miss it. Merritt Baer, CSO at Enkrypt AI and former deputy CISO at AWS, told VentureBeat that this will not feel like “AI risk.” CISOs often discover it “when an employee pastes sensitive data into a tool, or when an attacker finds an unauthenticated MCP server in your cloud.” It “won’t feel like 'AI risk.' It will feel like your traditional security program failing.” The reason is that the exploit lives in the framework you imported, not in the endpoint your team hardened.

Baer’s underlying point is governance plus defaults, not just technical patching. She called it “the same mistake we’ve seen in every major protocol rollout: insecure defaults.” If teams do not build authentication and least privilege in from day one, she warned, “we’ll be cleaning up breaches for the next decade.” Langflow’s auto-login is that mistake shipped. LangChain-core’s unguarded prompt loader is that mistake shipped. And the moment an agent connects to anything, the risk compounds, because you inherit the hygiene of every tool, credential, and developer in the chain, turning “supply chain risk in real time” into something that lands in production. For executives, the takeaway is blunt: board-level security risk is no longer limited to your codebase. It includes the frameworks you treat as a safe internal component.