A June 2026 analysis by Check Point Research (indexed by IT Security News) highlights a critical vulnerability chain in LangGraph and LangChain, originally identified by Cyera Research in March 2026, that can expose agent memory, API keys, and conversation histories to attackers. The Hacker News and Cyera document three distinct flaws: a path traversal in langchain_core/prompts/.py (CVE-2026-34070, CVSS 7.5), a deserialization bug that leaks API keys and environment secrets (CVE-2025-68664, CVSS 9.3), and an SQL injection in LangGraph's SQLite checkpoint implementation enabling remote code execution (CVE-2025-67644, CVSS 7.3). Patched versions are langchain-core >=1.2.22, langchain-core 0.3.81/1.2.5, and langgraph-checkpoint-sqlite 3.0.1, per The Hacker News and Cyera. LangChain and LangGraph see over 60 million combined weekly downloads across packages, per TechRadar.
What happened
A fresh analysis by Check Point Research (June 11, 2026, indexed by IT Security News) frames LangGraph and LangChain agent memory as an active security liability, building on three critical CVEs originally identified by Cyera Research and disclosed March 27, 2026. Cyera Research's "LangDrained" report documents the three flaws: a path traversal in langchain_core/prompts/.py (CVE-2026-34070, CVSS 7.5), a deserialization vulnerability leaking API keys and environment secrets (CVE-2025-68664, CVSS 9.3), and an SQL injection in LangGraph's SQLite checkpoint backend enabling remote code execution (CVE-2025-67644, CVSS 7.3) (Cyera; The Hacker News).
Technical details
CVE-2026-34070 allows crafted prompt templates to cause arbitrary file reads via the prompt- API (The Hacker News). CVE-2025-68664 occurs when untrusted input is interpreted as a pre-serialized LangChain object, restoring sensitive environment variables and API keys; note that Cyata (cyata.ai) independently disclosed this deserialization issue in December 2025 under the name "LangGrinch" (The Hacker News). CVE-2025-67644 resides in metadata filter handling in LangGraph's checkpoint SQLite backend and can be chained to execute arbitrary SQL and escalate to command execution in some deployments (Cyera; The Hacker News). Patched versions, per Cyera and The Hacker News: langchain-core >=1.2.22 (CVE-2026-34070), langchain-core 0.3.81 and 1.2.5 (CVE-2025-68664), langgraph-checkpoint-sqlite 3.0.1 (CVE-2025-67644).
Industry context
Editorial analysis: Open-source agent frameworks concentrate connectors, secrets, and conversation histories in checkpoints and memory stores, raising attacker value as LangChain's install base grows. TechRadar reports combined weekly downloads exceeding 60 million across LangChain projects, and Check Point Research notes roughly 46.5 million monthly downloads for related packages (IT Security News). Separately, a Langflow RCE flaw (CVE-2026-33017, CVSS 9.3) was exploited within 20 hours of disclosure in the same period, indicating continued attacker focus on agent framework attack surfaces (The Hacker News). The Cloud Security Alliance published a formal research note on March 27, 2026 documenting the three CVEs and their enterprise risk profile.
What to watch
For practitioners: Verify installations are at the patched versions listed above. Monitor whether downstream projects publish additional hardening steps or checkpoint-format validation tools. Industry pattern: scrutinize whether serialized agent checkpoints are treated as trusted data in your deployment and review input validation at all LLM output boundaries.
Scoring Rationale #
Three high-severity CVEs in LangChain and LangGraph - including a CVSS 9.3 deserialization flaw enabling secrets exfiltration and a CVSS 7.3 SQL injection with RCE potential - directly affect widely deployed agent frameworks with tens of millions of weekly downloads. A fresh June 2026 Check Point Research analysis and the concurrent active exploitation of a related Langflow RCE confirm continued attacker interest in this stack. Score reflects verified critical CVEs in high-adoption infrastructure.
Practice interview problems based on real data
1,500+ SQL & Python problems across 15 industry datasets — the exact type of data you work with.