Skip to main content
World Today News
  • Home
  • News
  • World
  • Sport
  • Entertainment
  • Business
  • Health
  • Technology
Menu
  • Home
  • News
  • World
  • Sport
  • Entertainment
  • Business
  • Health
  • Technology

AI Agent Frameworks Exposed: How SQLi, Path Traversal & Deserialization Flaws Grant Attackers Full RCE Access to Your Keys & Data

June 20, 2026 Rachel Kim – Technology Editor Technology

7,000 Langflow Servers Under Attack: How LangGraph and LangChain Share the Same Critical Flaws

7,000 exposed Langflow instances are actively exploited via CVE-2026-5027, while LangGraph and LangChain share identical SQL injection and deserialization vulnerabilities that can hand attackers full access to OpenAI keys, database credentials, and production systems. The flaws—three separate but structurally identical bugs—chain from unpatched frameworks into remote code execution with no authentication required. Patches exist, but the window between disclosure and deployment is measured in months, not days.

The Tech TL;DR:

  • 7,000 Langflow servers are under active attack via CVE-2026-5027 (CVSS 8.8), with no credentials needed due to default auto-login. Censys tracks the exposed instances.
  • LangGraph and LangChain share the same plumbing-level flaws: SQL injection in checkpointers (CVSS 7.3), unsafe deserialization (CVSS 9.3), and path traversal in prompt loaders (CVSS 7.5). All three can leak API keys and execute code.
  • Patches exist, but enterprise adoption lags—CISA added a prior Langflow flaw to its KEV catalog in May, yet exploitation continues. CrowdStrike now monitors AI agent traffic for these exact attack patterns.

Why This Isn’t a Hypothetical: The Exploit Chain That Hands Attackers Your OpenAI Key

The frameworks did exactly what they were designed to do. They stored agent state, took file uploads, loaded prompt configs, and held the credentials to databases, CRMs, and internal APIs. The edge tools watch traffic. The endpoint tools watch processes. Neither was built to treat an imported framework as a boundary worth guarding—and that blind spot is exactly where all three chains live.

Check Point Research chained a SQL injection in LangGraph’s SQLite checkpointer to full remote code execution. Tenable and VulnCheck tracked a path traversal in Langflow’s file upload endpoint to active, in-the-wild RCE. Cyera documented a path traversal in LangChain-core’s prompt loader that reads your secrets off disk. Two paths to a shell, one to your keys. They are the same bug, wearing three frameworks.

“This is the exact plumbing these chains abuse, and real money is now moving to the layer your AppSec scan skips.” — George Kurtz, CrowdStrike CEO, June 17 earnings call

Source: CrowdStrike AI Detection & Response Expansion

Framework A: The Cybersecurity Threat Report

1. LangGraph: SQL Injection to Python Shell (CVSS 7.3 → 6.8 Chain)

LangGraph gives AI agents memory through checkpointers—the persistence layer that stores execution state. It has cleared over 50 million downloads a month, yet its SQLite and Redis checkpointers drop user-controlled filter keys straight into SQL queries with no parameterization. Yarden Porat of Check Point Research found that:

  • CVE-2025-67644 (CVSS 7.3): SQL injection in the WHERE clause builder for checkpoint lookups. A fabricated row can be written into the checkpoint table.
  • CVE-2026-28277 (CVSS 6.8): The msgpack checkpoint decoder rebuilds Python objects from stored data, allowing arbitrary module imports and function calls (e.g., os.system).
  • CVE-2026-27022 (CVSS 6.5): Same attack path via Redis checkpointer.

The chain requires write access to the checkpoint store—granted remotely by the SQL injection. A proof-of-concept exists in Check Point’s disclosure, but no confirmed in-the-wild exploitation yet. Patches:

  • langgraph-checkpoint-sqlite → 3.0.1
  • langgraph → 1.0.10
  • langgraph-checkpoint-redis → 1.0.2

Why it matters: LangGraph runs as the agent server’s identity. A successful exploit hands an attacker the same permissions as your production AI workflows.

2. Langflow: One Unauthenticated Request to RCE (CVSS 8.8, Actively Exploited)

Langflow’s CVE-2026-5027 is the most critical: a path traversal in the POST /api/v2/files endpoint that writes attacker-supplied filenames unsanitized to disk. With auto-login enabled by default, an exposed instance requires no credentials.

Steps to exploitation:

  1. Attacker sends a malformed filename (e.g., ../../../etc/cron.d/backdoor) via the file upload endpoint.
  2. Langflow writes the file to an arbitrary location.
  3. Next cron run executes the attacker’s shell script.

VulnCheck confirmed exploitation on June 9, and Censys identified ~7,000 exposed instances—mostly in North America. This is the third Langflow flaw weaponized this year; CISA added CVE-2025-34291 to its KEV catalog in May after Iranian state-sponsored group MuddyWater exploited it.

Patch timeline: Fixed in Langflow 1.9.0 (April 15), yet attacks began in June. The lesson: patch on disclosure, not on KEV listing.

3. LangChain-core: Arbitrary File Reads Through the Prompt Loader (CVSS 7.5 → 9.3 Chain)

LangChain-core’s load_prompt() functions read file paths from config dicts with no traversal checks. An attacker controlling the path can read:

  • .env files (holding OPENAI_API_KEY, ANTHROPIC_API_KEY)
  • Database connection strings
  • Internal API tokens

Cyera paired this with CVE-2025-68664 (CVSS 9.3), a deserialization flaw that resolves environment secrets through crafted objects. The fixes differ:

  • CVE-2026-34070 → langchain-core 1.2.22 / 0.3.86
  • CVE-2025-68664 → 1.2.5 / 0.3.81

Critical note: Patching only one leaves the higher-severity flaw exposed.

Under the Hood: Why Scanners Miss This

Merritt Baer, CSO at Enkrypt AI and former AWS deputy CISO, calls this “MCP insecurity”—a failure to treat frameworks as trust boundaries. “CISOs won’t see this as ‘AI risk,'” she told VentureBeat. “They’ll see an unauthenticated server in their cloud, and their traditional security tools won’t catch it.”

The root cause? Insecure defaults. Langflow’s auto-login. LangChain-core’s unguarded prompt loader. The convenient default is the vulnerability. And the moment an agent connects to anything, that risk compounds.

“You’re not just trusting your own security, you’re inheriting the hygiene of every tool, every credential, every developer in that chain.” — Merritt Baer, CSO, Enkrypt AI

Source: VentureBeat Interview, June 2026

The Implementation Mandate: How to Patch Before the Breach

Here’s the six-question checklist to run tonight, with CLI commands and board-ready language:

Trust Boundary Question Proof Point Command/Fix Board Language
Agent State Store Can the agent’s state store be poisoned with code? LangGraph SQLi-to-RCE chain. get_state_history() exposed to network input. pip show langgraph-checkpoint-sqlite
Upgrade to 3.0.1+; confirm get_state_history() is not exposed.
“Our agent memory layer can be tricked into running attacker code. Vendor has patched it. We are upgrading and confirming the endpoint is not exposed.”
Is auto-login enabled on Langflow? CVE-2026-5027 (CVSS 8.8). Auto-login on by default. curl -I http://:7860 | grep "WWW-Authenticate"
Disable auto-login; isolate port 7860.
“Our AI dev tools are reachable from the internet with login off. This exact flaw is under active attack now. We are pulling them behind access controls today.”
Prompt Loader Can our prompt loader read files it should never touch? LangChain-core CVE-2026-34070. load_prompt() reads user-supplied paths. pip show langchain-core
Upgrade to 1.2.22+ / 0.3.86+; replace load_prompt() with allowlisted directory.
“Our prompt system could be steered to read our API keys off disk. We are patching and removing the legacy loader.”
Does a compromised framework hand over every credential at once? Cyera documents credential exfiltration via deserialization. Inventory secrets with grep -r "OPENAI_API_KEY" /path/to/framework
Move keys to ephemeral injection; rotate exposed keys.
“A single break in one AI framework exposes the keys to every model and data store it touches. We are rotating and scoping them now.”
Framework Governance Are these frameworks running outside security governance? Shadow AI is the new shadow IT. No approval records. Run discovery sweep with grep -r "langgraph|langchain|langflow" /etc
Assign owners; offer sanctioned alternatives.
“We have AI frameworks in production that no one formally approved. We are bringing them under governance, not banning them.”
Scanner Blind Spots Can our scanners even see inside the framework at runtime? WAF/EDR miss msgpack decoders and prompt loaders. Test with curl -X POST http://localhost:7860/api/v2/files -F "file=../../../etc/passwd"
Add framework dependencies to vuln management.
“Our scanners check our code, not the frameworks our code imports. We are closing that blind spot and patching on disclosure, not waiting for the federal catalog.”

Framework C: Tech Stack & Alternatives Matrix

If LangGraph, LangChain, or Langflow are in your stack, here’s how to compare the risk:

Framework Critical Flaw CVSS Patch Status Alternatives
LangChain-core Path traversal in load_prompt() 7.5 → 9.3 (paired) 1.2.22 / 0.3.86 Cohere’s LangChain-compatible loader (sandboxed paths)
LangGraph SQLi → msgpack RCE 7.3 → 6.8 1.0.10 Prefect Flow (explicit checkpoint isolation)
Langflow Unauthenticated path traversal 8.8 1.9.0+ Flowise (disable auto-login by default)

Why This Isn’t Over: The Board-Level Risk

Assaf Keren, CISO at Qualtrics and former PayPal CISO, frames the business blast radius:

“When an AI engine triggers a compensation adjustment based on poisoned data, the damage isn’t a security incident. It’s a wrong business decision executed at machine speed.”

Source: VentureBeat Interview, June 2026

A framework RCE is the same problem one layer earlier. The agent doesn’t just leak a credential—it acts on production systems with it. The business sees an outcome no one can explain.

The Directory Bridge: Who Can Help You Patch Now

With this zero-day exploit actively circulating, enterprise IT departments cannot wait for an official patch. Here’s who to engage immediately:

  • CrowdStrike: Expanded AI detection to monitor agent traffic for these exact attack patterns (June 17 update). Their Falcon AIDR now covers AWS Bedrock, Kiro, and Strands workloads.
  • Tenable: Tracked the Langflow exploitation in-the-wild and offers Tenable.ot for agent-level vulnerability scanning.
  • Cyera: Documented the LangChain-core deserialization flaw and provides Cyera Insight for credential exposure detection.
  • Enkrypt AI: Specializes in MCP (Multi-Cloud Provider) security and offers Enkrypt Guard for framework-level trust boundaries.

The Editorial Kicker: The Next Wave of AI Exploits

The frameworks did what they were built to do. The problem isn’t the technology—it’s the assumption that convenience equals security. LangGraph, LangChain, and Langflow shipped faster than anyone secured them. The edge tools watch traffic. The endpoint tools watch processes. But neither was built to treat an imported framework as a boundary worth guarding.

This is the new shadow IT: AI agents running in production with no governance, no credential hygiene, and no runtime monitoring. The fix isn’t re-architecture. It’s version bumps, config changes, and a hard look at what’s running in your cloud without your security team’s knowledge.

Run the six-question checklist tonight. Then ask: What else is running that we don’t know about?

Disclaimer: The technical analyses and security protocols detailed in this article are for informational purposes only. Always consult with certified IT and cybersecurity professionals before altering enterprise networks or handling sensitive data.

Share this:

  • Share on Facebook (Opens in new window) Facebook
  • Share on X (Opens in new window) X

Related

Search:

World Today News

World Today News is your trusted source for global journalism — breaking headlines, in-depth analysis, and reporting from around the world.

Quick Links

  • Privacy Policy
  • About Us
  • Accessibility statement
  • California Privacy Notice (CCPA/CPRA)
  • Contact
  • Cookie Policy
  • Disclaimer
  • DMCA Policy
  • Do not sell my info
  • EDITORIAL TEAM
  • Terms & Conditions

Browse by Location

  • GB
  • NZ
  • US

Connect With Us

© 2026 World Today News. All rights reserved. Your trusted global news source directory.
For contact, advertising, copyright, issues email: [email protected]

Privacy Policy Terms of Service