VentureBeat
Follow
7,000 Langflow servers are under attack. LangGraph and LangChain have the same holes
Three widely used AI agent frameworks—LangGraph, Langflow, and LangChain-core—have critical vulnerabilities that allow attackers to gain remote code execution or access sensitive information. These frameworks, deployed as production infrastructure, store agent state, handle file uploads, load prompt configurations, and hold critical credentials. Traditional security tools like WAFs and EDRs often miss these attacks because the exploits occur deep within the imported framework code.
LangGraph's SQL injection (CVE-2025-67644) in its SQLite checkpointer can be chained with a deserialization flaw (CVE-2026-28277) to achieve remote code execution by forging checkpoint rows. Although not yet exploited in the wild, a public proof-of-concept exists, and fixes are available in updated versions. Langflow's path traversal vulnerability (CVE-2026-5027) in its file upload endpoint allows unauthenticated attackers to write arbitrary files, including cron jobs, leading to active remote code execution. This flaw is actively being exploited, with thousands of instances exposed online and a patch released in April, highlighting the urgency of immediate patching.
LangChain-core suffers from a path traversal (CVE-2026-34070) in its legacy prompt-loading API, which allows attackers to read arbitrary files, including API keys, when combined with a deserialization vulnerability (CVE-2025-68664). These issues stem from common application security bugs—SQL injection, path traversal, and unsafe deserialization—not AI-specific problems, making them harder to detect with current security practices.
The core issue is that these frameworks became integral production components faster than they were secured, often shipping with insecure defaults like auto-login enabled. Security teams frequently miscategorize these AI agent frameworks as low-risk developer tools, leading to insufficient protection and a "supply chain risk in real time." Failure to address these vulnerabilities can result in more than just security incidents; they can lead to "wrong business decisions executed at machine speed" if poisoned data or unauthorized actions occur.
Boards need to understand the business consequences of these vulnerabilities. A board-focused message should highlight that AI agent frameworks in production can grant attackers remote shells through known bugs, that patches are available, and that one framework is already under active real-world attack. A six-question checklist is provided for immediate action, focusing on verifying and fixing vulnerabilities related to agent state poisoning, unauthenticated file writes, and unauthorized file reads by prompt loaders. This urgent security posture requires immediate upgrades, disabling insecure defaults, and isolating AI development tools behind stricter access controls.
