Your AI agent operated as intended. However, the underlying framework exposed a vulnerability that allowed an attacker to gain access to your system, compromising your OpenAI key, database credentials, and CRM tokens.
This scenario is not hypothetical. Within a few months, three popular AI agent frameworks have each converted a common bug type into a security breach. Check Point Research demonstrated a SQL injection in LangGraph’s SQLite checkpointer leading to complete remote code execution. Tenable and VulnCheck identified a path traversal vulnerability in Langflow’s file upload endpoint, resulting in active, real-world remote code execution. Cyera highlighted a path traversal in LangChain-core’s prompt loader that can expose your data on disk. These three frameworks share the same underlying issue.
These frameworks quickly became part of production infrastructure without adequate security measures. They manage agent state, accept file uploads, load prompt configurations, and store credentials for databases, CRMs, and internal APIs. Traditional security tools monitor traffic and processes but do not treat these frameworks as security boundaries, leaving a blind spot that widens as these frameworks are deployed in production.
The LangGraph chain: SQL injection to a Python shell
LangGraph is widely adopted, providing AI agents with memory through checkpointers that store execution state. It has surpassed 50 million downloads per month. Yarden Porat from Check Point Research uncovered three vulnerabilities in this framework, two of which can lead to remote code execution (RCE).
CVE-2025-67644, with a CVSS score of 7.3, is a SQL injection flaw in the SQLite checkpointer. This vulnerability occurs when the WHERE clause for checkpoint lookups incorporates user-controlled filter keys into the query without parameterization or escaping. Deployments are at risk if they self-host LangGraph on SQLite or Redis checkpointers and allow untrusted input to access get_state_history() or similar endpoints. On the other hand, using LangChain’s managed LangSmith platform on PostgreSQL eliminates this exposure.
CVE-2026-28277, with a CVSS score of 6.8, exacerbates the situation. LangGraph’s msgpack checkpoint decoder reconstructs Python objects from stored data, enabling it to import modules and call functions with attacker-supplied arguments. This step requires write access to the checkpoint store, which the SQL injection vulnerability enables remotely. LangGraph processes the forged row as a valid checkpoint, and the decoder executes the specified function, including os.system, under the agent server’s identity. An additional vulnerability, CVE-2026-27022, CVSS 6.5, affects the Redis checkpointer in a similar manner.
There is no confirmed exploitation in the wild yet. However, a proof-of-concept is available in Check Point’s disclosure. The solution is to update to the following versions: langgraph-checkpoint-sqlite to 3.0.1, langgraph to 1.0.10, and langgraph-checkpoint-redis to 1.0.2.
The Langflow chain: one unauthenticated request to RCE
Langflow is already under attack. CVE-2026-5027, with a CVSS score of 8.8, is a path traversal vulnerability in the POST /api/v2/files endpoint, which writes a filename from form data to disk without sanitization. An attacker can manipulate the filename with traversal sequences to place a file anywhere, such as a cron job in /etc/cron.d/. Langflow’s default configuration includes auto-login, so an exposed instance requires no credentials. A single unauthenticated request can exploit this vulnerability, and the next cron run grants shell access.
On June 9, VulnCheck’s Caitlin Condon confirmed the exploitation: “Our Canaries observed exploitation of CVE-2026-5027 that successfully leveraged the path traversal to write what appear to be test files on victim systems.” Censys reported approximately 7,000 exposed instances on the internet, mainly in North America. This is the third Langflow vulnerability actively exploited this year, following CVE-2025-34291, which was weaponized by Iran-linked MuddyWater and added to CISA’s Known Exploited Vulnerabilities catalog in May. CVE-2026-5027 was patched in version 1.9.0, released on April 15.
The timeline is crucial. The patch was released on April 15. Attacks began in June, and VulnCheck added CVE-2026-5027 to its exploited-vulnerabilities list on June 8 after detecting the first real-world attacks. Instances left unpatched between those dates have been vulnerable for nearly two months. Security teams should start the patch process at disclosure rather than waiting for a federal catalog entry.
The LangChain-core gap: arbitrary file reads through the prompt loader
LangChain-core, the foundation for both, disclosed CVE-2026-34070, CVSS 7.5, a path traversal vulnerability in its legacy prompt-loading API. The load_prompt() functions read a file path from a config dictionary without verifying traversal sequences or absolute paths. Consequently, an attacker who controls this path can read arbitrary files accessible to the process, including .env files storing OPENAI_API_KEY and ANTHROPIC_API_KEY. Cyera coupled it with CVE-2025-68664, CVSS 9.3, a deserialization vulnerability that resolves environment secrets via a crafted object. The fix versions differ, affecting patching: CVE-2026-34070 is addressed in langchain-core 1.2.22 and 0.3.86; CVE-2025-68664 is fixed in 1.2.5 and 0.3.81. Both must be resolved to prevent the higher-severity vulnerability from remaining active behind a patched one.
Three frameworks share three classic application security flaws: path traversal, SQL injection, and unsafe deserialization. These are not exotic or AI-specific vulnerabilities, but rather outdated issues within new infrastructure. The problem lies in the intersection of AI and enterprise systems.
Why scanners cannot detect these issues
Merritt Baer, CSO at Enkrypt AI, identifies the challenge in recognizing these failures. They do not present themselves as AI issues. “CISOs will encounter MCP insecurity not theoretically, but when an employee pastes sensitive data into a tool, or when an attacker finds an unauthenticated MCP server in your cloud,” Baer told VentureBeat. “It won’t seem like ‘AI risk.’ It will appear as a failure in your standard security program.” The framework vulnerabilities follow the same pattern. An exposed Langflow instance resembles an unauthenticated server in your cloud, and any alert that triggers looks like a typical incident.
The gap lies in the imported framework. The WAF does not detect a msgpack decoder operating three layers deep. The EDR observes the agent server executing routine process calls and allows it. Both tools function correctly, but no one identified the framework itself as a potential threat.
The underlying issue predates AI, according to Baer. “MCP is launching with the same error seen in every major protocol rollout: insecure defaults,” she explained to VentureBeat. “If we don’t incorporate authentication and least privilege from the beginning, we’ll be resolving breaches for the next decade.” Langflow’s auto-login is one such mistake. LangChain-core’s unprotected prompt loader is another. The vulnerability is the convenient default setting. Once an agent connects to any system, the risk multiplies. “You’re not just relying on your own security; you’re inheriting the security practices of every tool, credential, and developer in that chain,” Baer emphasized. “That’s a supply chain risk in real-time.”
This situation also reflects a governance failure, as noted by Assaf Keren, chief security officer at Qualtrics. “Most security teams classify experience management platforms as ‘survey tools,’ placing them in the same risk tier as a project management app,” Keren told VentureBeat. “This is a significant misclassification.” The same applies to AI agent frameworks. Teams categorize LangGraph, Langflow, and LangChain as developer conveniences, then connect them to databases, CRMs, and provider keys. “Security must be an enabler,” Keren stated, “or teams will bypass it.” These frameworks demonstrate what happens when security is bypassed.
The financial implications are evident at this level. During its Q1 fiscal 2027 earnings call, CrowdStrike reported its AI detection and response line increased by over 250% sequentially. On June 17, it expanded runtime coverage to encompass agent, LLM, and MCP traffic on AWS. George Kurtz, the company’s co-founder and CEO, explained: “Agents operate on the endpoint. They execute tool calls, access files, invoke APIs, and transfer data at the process level.” This is the precise layer these vulnerabilities exploit, and substantial investments are being directed toward the area your AppSec scan overlooks.
What to present to the board
The board does not require CVE numbers. It needs to understand the implications, as Keren articulates. Most teams have assessed the technical impact. “But not the business impact,” Keren told VentureBeat. “When an AI engine triggers a compensation adjustment based on compromised data, the outcome is not a security incident. It is an incorrect business decision executed at machine speed.” A framework RCE presents the same issue one layer earlier. The agent does not merely disclose a credential; it uses it on production systems, resulting in an inexplicable business outcome.
Thus, present it as the board would: we operate AI agent frameworks in production that can be transformed into remote shells through vulnerabilities our scanners are not designed to detect. All three issues have patches, one is actively targeted, and here is the date every instance is verified and secured. None of these situations involved custom malware or a zero-day vulnerability.
The six-question checklist
Six trust boundaries, each with a question, proof point, command, fix, and board statement. Run it tonight.
|
Trust-Boundary Question |
Proof Point |
What Broke |
Verify Before You Install |
The Fix |
Board Language |
|
1. Can the agent’s state store be poisoned with code? |
LangGraph SQLi-to-RCE chain. CVE-2025-67644 (CVSS 7.3) chains into CVE-2026-28277 (CVSS 6.8). PoC public, no in-the-wild use yet. |
Filter keys interpolated into SQL with an f-string. Forged checkpoint row hits the msgpack decoder, which imports and runs an attacker-named callable. |
pip show langgraph-checkpoint-sqlite. Below 3.0.1 = vulnerable. Confirm get_state_history() is not exposed to network input. |
Upgrade langgraph-checkpoint-sqlite to 3.0.1, langgraph to 1.0.10, langgraph-checkpoint-redis to 1.0.2. |
“Our agent memory layer can be tricked into running attacker code. Vendor has patched it. We are upgrading and confirming the endpoint is not exposed.” |
|
2. Can an unauthenticated request write a file to our agent server? |
Langflow CVE-2026-5027 (CVSS 8.8). On VulnCheck KEV (June 8). Active exploitation confirmed June 9. ~7,000 exposed instances (Censys). |
Path traversal in POST /api/v2/files. Filename unsanitized. Auto-login on by default. Two HTTP calls drop a cron job and earn a shell. |
Query Censys or Shodan for your Langflow, Flowise, n8n, and Dify instances on the perimeter. Check whether auto-login is enabled. |
Upgrade Langflow to 1.9.0+. Disable auto-login. Pull AI dev tools behind VPN or zero-trust. Isolate port 7860. |
“Our AI dev tools are reachable from the internet with login off. This exact flaw is under active attack now. We are pulling them behind access controls today.” |
|
3. Can our prompt loader read files it should never touch? |
LangChain-core CVE-2026-34070 (CVSS 7.5), path traversal in the prompt-loading API. Paired with deserialization CVE-2025-68664 (CVSS 9.3). |
load_prompt() reads a config-supplied path with no traversal check, returning files such as the .env holding OPENAI_API_KEY and ANTHROPIC_API_KEY. |
pip show langchain-core. Below 1.2.22 (1.x) or 0.3.86 (0.x) = vulnerable. Audit any code passing user-influenced paths to load_prompt(). |
Upgrade langchain-core past both fixes: 1.2.22 / 0.3.86 (CVE-2026-34070) and 1.2.5 / 0.3.81 (CVE-2025-68664). Replace load_prompt() with an allowlisted directory. Run as non-root. |
“Our prompt system could be steered to read our API keys off disk. We are patching and removing the legacy loader.” |
|
4. Does a compromised framework hand over every credential at once? |
These frameworks are often deployed with provider keys, database credentials, and integration tokens available to the process environment. Cyera documents the credential-exfiltration path. |
One RCE on the agent server exposes every secret the process can read. Blast radius is the full credential set, not one app. |
Inventory which secrets each framework process can reach. Confirm keys come from a secrets manager, not static .env files. |
Move provider keys to ephemeral injection. Rotate any key a vulnerable instance could have read. Scope each key to least privilege. |
“A single break in one AI framework exposes the keys to every model and data store it touches. We are rotating and scoping them now.” |
|
5. Are these frameworks running outside security governance? |
A prior Langflow flaw, CVE-2025-34291, was weaponized by Iranian-linked MuddyWater and added to CISA KEV in May. Shadow AI is the new shadow IT. |
Teams stand frameworks up for speed, give them credentials, and never bring them under review. The security team cannot see what it does not know exists. |
Run a discovery sweep for AI frameworks outside change management. Map each to an owner and an approval record. |
Assign every framework a documented owner and a place in the approval process. Offer a sanctioned alternative so teams do not route around you. |
“We have AI frameworks in production that no one formally approved. We are bringing them under governance, not banning them.” |
|
6. Can our scanners even see inside the framework at runtime? |
Runtime detection is forming around this layer: CrowdStrike Falcon AIDR expanded to AWS June 17 (Bedrock, Kiro, Strands); its QuiltWorks coalition now covers cloud workloads. |
WAF reads HTTP at the edge. EDR watches the endpoint. By default, neither reliably models a msgpack decoder or a prompt loader three layers down in an imported framework as a separate trust boundary. |
Test whether your AppSec scan covers third-party framework internals. Track CVEs by dependency, not just by what your edge tools can parse. |
Add framework dependencies to vuln management. Treat agent output and stored state as untrusted. Patch on disclosure, not on KEV listing. |
“Our scanners check our code, not the frameworks our code imports. We are closing that blind spot and patching on disclosure, not waiting for the federal catalog.” |
How to read this table: each row is one trust boundary, left to right, from the question to ask to the line to read your board.
Give the board the deadline, not the technology
The solutions do not require re-architecting. They involve version updates and configuration changes that can be implemented this week. The exposure period is the time between patch release and when your team conducts checks, currently measured in months. The frameworks functioned as designed.
