VentureBeat reported that exposed Langflow servers are being attacked while related vulnerabilities in LangGraph and LangChain-core show the same pattern: AI agent frameworks are now trusted with production secrets, state, files, and internal-system access, but the bug classes are still SQL injection, path traversal, and unsafe deserialization.
The story is not that agent builders invented a new category of security failure. It is that the frameworks they moved into production now sit at a privileged junction. They store conversation and workflow state. They load prompt configurations. They accept uploaded files. They hold the API keys and service credentials needed to let agents take action across databases, CRMs, model providers, and internal tools. When that layer fails, the blast radius is not limited to a demo chatbot.
That is the uncomfortable throughline across the three cases VentureBeat assembled. Check Point Research found a LangGraph chain from SQL injection to remote code execution. Tenable documented a Langflow file upload path traversal that can write arbitrary files. Cyera described LangChain-core paths that can expose local files and environment secrets. The shared lesson for founders shipping agentic products is direct: the framework is part of the security boundary, whether the security program treats it that way or not.
Langflow is the live-fire case
Langflow is the framework already seeing abuse. VentureBeat, citing Censys, reported roughly 7,000 exposed Langflow instances on the internet, most of them in North America. The relevant bug, CVE-2026-5027, carries a CVSS score of 8.8 and sits in the POST /api/v2/files
endpoint.
Tenable's advisory describes the root issue in plain terms: the endpoint does not sanitize the filename
parameter supplied in multipart form data, allowing path traversal sequences to write files outside the intended upload location. Tenable lists the fix as Langflow 1.9.0 or later.
VentureBeat's reporting adds the operational problem. In exposed deployments where Langflow's default auto-login behavior leaves the endpoint reachable without credentials, the file write becomes a practical remote-code-execution path. An attacker can write to a sensitive location such as /etc/cron.d/
; the next cron run does the rest. VulnCheck researcher Caitlin Condon told VentureBeat that VulnCheck's canaries observed exploitation on June 9, with attackers using the traversal to write apparent test files on victim systems.
The timing matters more than the CVSS score. VentureBeat reported that Langflow 1.9.0 shipped April 15, 2026, but exploitation was observed in June. That means the patch existed for nearly two months before many exposed servers were visibly in the attack path. For startups, that is the real incident pattern: an AI workflow server starts as internal tooling, gets exposed for convenience or testing, connects to real keys, and then survives long enough on the public internet for the exploit ecosystem to catch up.
Langflow had already been a target. VentureBeat noted that CVE-2025-34291, an earlier Langflow issue, was weaponized by the Iranian state-sponsored group MuddyWater and added to CISA's Known Exploited Vulnerabilities catalog in May 2026. The Hacker News separately reported that CISA added CVE-2025-34291 to KEV after evidence of active exploitation.
LangGraph turns agent memory into an attack surface
LangGraph's issue is more conditional, but it cuts closer to the core of agent architecture. LangGraph gives agents memory through checkpointers, the persistence layer used to store execution state. Check Point Research said LangGraph has more than 50 million monthly downloads and identified three vulnerabilities in that persistence layer.
The first, CVE-2025-67644, is a SQL injection in langgraph-checkpoint-sqlite
. Check Point's write-up shows the vulnerable code constructing part of a SQL WHERE
clause by interpolating filter keys into a JSON path instead of safely binding or escaping them. The exposure is not universal. Check Point says the vulnerable path applies to teams self-hosting LangGraph with the SQLite or Redis checkpointer where an application exposes get_state_history()
with a user-controlled filter
. Check Point also says LangChain's managed LangSmith Deployment, formerly LangGraph Platform, runs PostgreSQL and is not vulnerable to that specific path.
The second issue, CVE-2026-28277, is the step that makes the chain dangerous. Check Point described an unsafe msgpack deserialization path where attacker-controlled checkpoint data can import a module and call a named function with attacker-supplied arguments. In its demonstration, that means reaching os.system()
from a forged checkpoint. The SQL injection supplies the write path; the deserializer supplies execution.
A third issue, CVE-2026-27022, affects the Redis checkpointer with a similar injection class. Check Point's recommended version bumps are specific: langgraph-checkpoint-sqlite 3.0.1+
, langgraph 1.0.10+
, and langgraph-checkpoint-redis 1.0.2+
.
VentureBeat reported no confirmed in-the-wild exploitation of the LangGraph chain as of June 19, 2026. That distinction matters. LangGraph is not in the same operational category as exposed Langflow servers being probed today. But the proof of concept is public, the affected use case maps to real self-hosted agent systems, and the vulnerable component is precisely where agent state is trusted.
LangChain-core shows why secrets are the prize
The LangChain-core issue is not a shell by itself, but it points at the asset attackers are usually after first: secrets. Cyera's research on LangChain vulnerabilities described CVE-2026-34070, a path traversal issue in the legacy prompt- API. The vulnerable load_prompt()
path reads a file path from a configuration dictionary without blocking traversal sequences or absolute paths, letting an attacker who can influence the path read files available to the process.
In an AI application, that can include .env
files carrying model-provider credentials such as OPENAI_API_KEY
or ANTHROPIC_API_KEY
, plus database credentials and other service tokens. Cyera also paired the issue with CVE-2025-68664, a higher-severity deserialization flaw it said could resolve environment secrets through a crafted object.
The version matrix is easy to get wrong. VentureBeat reported that CVE-2026-34070 is fixed in langchain-core 1.2.22
and 0.3.86
, while CVE-2025-68664 is fixed in 1.2.5
and 0.3.81
. Teams that patch only the path traversal and miss the deserialization issue may still leave a higher-severity flaw reachable behind a cleaner prompt .
The founder takeaway is not to stop building agents
For founders, the conclusion is not that Langflow, LangGraph, or LangChain-core are unusable. Open-source AI infrastructure is moving quickly because builders need the abstractions: memory, tool calls, prompt , visual workflows, and stateful execution. The issue is that those abstractions have crossed from experimentation into production faster than many teams' inventory, patching, and threat models have adapted. That changes the operating discipline. Agent frameworks need to be tracked like web frameworks, not treated like helper libraries. Publicly exposed builder tools need authentication, network controls, and explicit internet-exposure review. File upload endpoints need the same suspicion they would get in any production application. Prompt s and state stores need to be treated as paths to secrets and execution, not just developer conveniences.
The market has spent the last year asking whether agents are reliable enough to do real work. The Langflow, LangGraph, and LangChain-core disclosures answer a different question: once agents can do real work, the framework underneath them becomes a route to whatever that work can touch.