7,000 Langflow servers are under attack. LangGraph and LangChain have the same holes

2026-06-19 · Source: VentureBeat · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy · Depth: Advanced, long

Summary

Critical security vulnerabilities have been identified in three widely deployed AI agent frameworks: Langflow, LangGraph, and LangChain-core. Langflow is currently under active attack, with approximately 7,000 exposed instances, primarily due to CVE-2026-5027 (CVSS 8.8), a path traversal flaw in its file upload endpoint that allows unauthenticated remote code execution (RCE). This vulnerability was patched in version 1.9.0 on April 15, but exploitation began in June. LangGraph has two RCE chains, CVE-2025-67644 (CVSS 7.3) and CVE-2026-28277 (CVSS 6.8), stemming from a SQL injection and unsafe deserialization, with fixes in versions 3.0.1 and 1.0.10. LangChain-core suffers from CVE-2026-34070 (CVSS 7.5), a path traversal in its prompt loader, which can read sensitive files like API keys, patched in versions 1.2.22 and 0.3.86. These are classic AppSec bugs, often overlooked by traditional security tools and exacerbated by insecure defaults.

Key takeaway

For MLOps Engineers or AI Security Engineers deploying agent frameworks, immediately patch Langflow to 1.9.0+, LangGraph to 3.0.1/1.0.10, and LangChain-core to 1.2.22/0.3.86. Disable Langflow's auto-login and secure all AI development tools behind zero-trust access. Your traditional security tools likely miss these framework-level vulnerabilities, which enable remote code execution and credential theft. Prioritize patching on disclosure, not waiting for federal catalog listings, to mitigate active exploitation risks.

Key insights

Widely used AI agent frameworks like Langflow, LangGraph, and LangChain-core are critically vulnerable to classic AppSec flaws, enabling RCE and secret exfiltration.

Principles

• Insecure defaults create systemic vulnerabilities.
• Inherited security hygiene is a supply chain risk.
• Traditional security tools miss framework-level exploits.

Method

Assess six trust boundaries: agent state store, unauthenticated file writes, prompt loader file access, credential exposure, security governance, and scanner coverage for framework internals.

In practice

• Upgrade Langflow to 1.9.0+ and disable auto-login.
• Patch LangGraph and LangChain-core to specified versions.
• Move API keys to ephemeral injection, rotate compromised keys.

Topics

• AI Agent Frameworks
• Langflow Security
• LangGraph Vulnerabilities
• LangChain-core Exploits
• Remote Code Execution
• Supply Chain Risk

Best for: CTO, VP of Engineering/Data, AI Architect, AI Security Engineer, MLOps Engineer, Director of AI/ML

Related on AIssential

• GitHub confirms 3,800 internal repos stolen through poisoned VS Code extension as supply chain worm hits Microsoft’s Python SDK — Chained supply chain and AI agent vulnerabilities are actively exploited, bypassing traditional security measures.
• AttackPathGNN: Cross-function vulnerability detection in smart contracts using state interference graphs and conjunction pooling — Cross-function smart contract vulnerabilities require reasoning over inter-function relationships, not just single-function patterns.
• Issue #118: Middleware in LangChain — Middleware provides essential control and safety for AI agents, transforming prototypes into production-ready applications.
• Building an Agentic Security Pipeline That Finds, Proves, and Patches Vulnerabilities — LLM-powered agentic pipelines can automate finding, proving, and patching vulnerabilities in complex codebases.
• The patching treadmill: Why traditional application security is no longer enough — Reactive security models are insufficient for modern, fast-paced, AI-assisted software development, demanding a shift left.
• RSA recap, the LiteLLM breach, and the quest to fix AI agent security — Securing agentic AI requires isolating workflows and dynamic identity management, as traditional IAM fails against non-deterministic threats.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by VentureBeat.