Three AI frameworks expose credentials to RCE, Langflow under active attack
Three widely deployed AI agent frameworks, LangGraph, Langflow, and LangChain, contain critical vulnerabilities that chain ordinary bugs into remote code execution. Langflow is already under active attack, with confirmed exploitation on June 9. The vulnerabilities expose production deployments that store agent state, credentials, and API tokens to unauthenticated attackers.
TL;DR
- Langflow CVE-2026-5027 (CVSS 8.8) is a path traversal in file upload that enables unauthenticated RCE on default-configured instances. Active exploitation confirmed as of June 9.
- LangGraph CVE-2025-67644 (CVSS 7.3) is a SQL injection in SQLite checkpointer that chains with CVE-2026-28277 (CVSS 6.8) to achieve RCE via msgpack deserialization.
- LangChain-core contains a path traversal in its prompt loader that exposes secrets stored on disk.
- All three frameworks became production infrastructure faster than security controls were implemented, storing credentials and agent state without treating imported frameworks as security boundaries.
Why It Matters
These frameworks are foundational infrastructure for AI agents in production environments. They store sensitive credentials, database access tokens, and CRM credentials alongside agent execution state. A single unauthenticated request to a default-configured Langflow instance grants shell access, and the SQL injection in LangGraph affects deployments that have cleared over 50 million downloads per month.
Business Impact
Organizations running AI agents on these frameworks face immediate risk to their most sensitive credentials and internal systems. Langflow exploitation is already happening in the wild. Remediation requires version updates across multiple packages, and some deployments may require architectural changes to move away from vulnerable checkpointer configurations.
Key Implications
- Default configurations of these frameworks prioritize ease of deployment over security, creating a wide attack surface for organizations that do not explicitly harden their instances.
- The vulnerability patterns are identical across three separate frameworks, suggesting a systemic gap in how AI agent frameworks treat untrusted input and deserialization.
- Organizations using self-hosted LangGraph on SQLite or Redis checkpointers with untrusted input access face immediate RCE risk, while those on LangSmith managed PostgreSQL are protected.
- The frameworks lack security boundaries around imported code, allowing deserialization attacks to execute arbitrary functions with agent server privileges.
What to Watch
Monitor for patches across langgraph-checkpoint-sqlite 3.0.1, langgraph 1.0.10, and langgraph-checkpoint-redis 1.0.2. Track whether Langflow and LangChain-core release fixes and timelines. Watch for broader exploitation of these frameworks in the wild, particularly against Langflow instances, and assess whether organizations are moving to managed platforms like LangSmith to avoid self-hosted exposure.
Subscribe to the newsletter
The latest stories and analysis, delivered to your inbox.
Free. No spam. Unsubscribe any time.
