Critical Security Flaws in LangGraph & LangChain: How Coding Errors Expose Secrets and Enable Remote Access

The widespread adoption of AI agent tools, including LangGraph and LangChain, has revealed critical system vulnerabilities. Attackers can exploit these flaws to access highly sensitive data. Researchers recently identified basic coding errors in three popular AI agent tools that allowed attackers to gain full control over entire systems. These findings illustrate how simple configuration mistakes can grant an attacker a direct shell to private keys and database information.

Widespread Security Weaknesses in AI Frameworks

• Check Point Research identified a SQL injection vulnerability within LangGraph‘s SQLite checkpointer. Designated CVE-2025-67644, this flaw permits full remote code execution via a chained attack. It occurs when the function constructing the WHERE clause accepts user-controlled filter keys without proper validation. While not universal across all configurations, the risk is critical if an attacker can influence the input reaching the history endpoint. Systems that self-host LangGraph using SQLite or Redis checkpointers are vulnerable if untrusted input reaches the state history function.
• A second weakness, CVE-2026-28277, enables LangGraph’s msgpack checkpoint decoder to import modules and execute functions using arguments supplied by an attacker. This specific step requires write access to the checkpoint store, which the initial SQL injection flaw can provide remotely. LangGraph treats the forged data as a valid checkpoint, allowing the decoder to run specified functions, including operating system commands. This demonstrates how the core system design creates a dangerous pathway for attackers to execute code under the agent server’s identity.

How Langflow and LangChain Core Flaws Create Backdoors

• Langflow is currently facing active attacks due to a path traversal weakness, CVE-2026-5027, discovered in its file upload endpoint. This flaw allows an attacker to directly use the filename from the form data and write it to the disk without input sanitization. Because Langflow defaults to auto-login, an exposed instance requires no credentials for an attacker to gain access. VulnCheck confirmed exploitation on June 9, successfully demonstrating the weakness wrote test files onto victim systems.
• The scope of this finding is substantial: 7,000 exposed Langflow instances were tracked globally, primarily in North America. This was the third Langflow issue to see live attacks this year, following the MuddyWater campaign against earlier versions. Although the patch for CVE-2026-5027 was released on April 15, attacks commenced in June, leaving systems exposed for nearly two months. This timeline suggests Security teams must prioritize patching immediately upon flaw disclosure, rather than waiting for governmental alerts.
• LangChain-core also presents risks through CVE-2026-34070, which contains a path traversal vulnerability in its older prompt-loading API. This function reads a file path from a configuration dictionary without checking for traversal sequences, constituting a serious coding error. An attacker influencing this path can read any file the server can access, including the secret .env file containing API keys like OPENAI_API_KEY. Cyera combined this with CVE-2025-68664, a deserialization flaw allowing attackers to resolve environment secrets via a custom object. Addressing both issues is crucial because the more severe flaw remains active even if the less severe one is patched.

The Security Blind Spot in AI Plumbing

These three major tools expose three classic application security issues: path traversal, SQL injection, and unsafe deserialization. These are not novel AI-specific problems, but rather long-standing coding weaknesses embedded deep within modern AI setups. This security gap exists within the “plumbing” layer where AI integrates with corporate business systems. Security experts note that these issues are difficult for typical scanning tools to detect because they do not manifest as AI-specific risks.

Security professionals contend that Chief Information Security Officers will face security failures when employees input sensitive data into a tool. Similarly, an attacker discovering an unauthenticated server in your cloud may not classify this as a simple AI risk. The weakness resides within the imported framework code, meaning firewalls often fail to detect the internal attack mechanisms. This specific problem highlights a major deficiency: security tools frequently overlook the internal operations of the AI setup. Ensuring robust security for LangGraph and LangChain necessitates looking beyond the surface layer of the AI application itself. Here’s a plan to ensure all constraints are met:

1. Identify Constraints: The output must be only the rewritten article body. No title, no excerpt, no image markdown, no labels, and no explanation.
2. Preservation Requirement: Must preserve all facts, names, numbers, dates, links, and claims.
3. Formatting Requirement: Keep bold markdown subheadings and dash bullets where useful. Keep existing markdown links if they support the same claims.
4. Tone/Role: Careful technology news editor.

I will now process the text section by section, focusing on clear, professional editing while maintaining strict fidelity to the original data points. (Self-Correction: Ensure the flow remains journalistic and technical.)