Security flaws in widely deployed AI agent frameworks—LangGraph, Langflow, and LangChain-core—have turned ordinary software bugs into full system compromises, exposing OpenAI keys, database credentials, and CRM tokens.
The most pressing threat involves Langflow, where a path traversal flaw in its file upload endpoint allows unauthenticated attackers to write files anywhere on the server. Since Langflow enables auto-login by default, a single HTTP request can install a cron job, granting shell access. Security firm VulnCheck confirmed active exploitation in June after detecting test files on victim systems. A patch was released in April, but attacks began two months later.
From SQL injection to Python shell access
LangGraph, a framework with over 50 millio—
Check Point Research demonstrated how a SQL injection in LangGraph’s SQLite checkpointer could lead to remote code execution. The vulnerability arises when user-controlled filter keys are inserted into SQL queries without proper sanitization, allowing attackers to write malicious rows into the checkpoint table. LangGraph’s msgpack checkpoint decoder then reconstructs Python objects from stored data, enabling arbitrary code execution under the agent server’s identity.
A similar issue affects the Redis checkpointer, though no real-world exploitation has been confirmed. Fixes require updating to langgraph-checkpoint-sqlite 3.0.1, langgraph 1.0.10, and langgraph-checkpoint-redis 1.0.2.
Related: AI model achieves efficient memory usage
Sensitive data exposed through prompt loaders
LangChain-core, the foundation for both LangGraph and LangChain, contains a path traversal flaw in its legacy prompt-loading API. The load_prompt() function reads file paths from config dictionaries without validating traversal sequences or absolute paths, allowing attackers to access sensitive files like .env containing OPENAI_API_KEY and ANTHROPIC_API_KEY. Cyera documented how this flaw could be exploited to read secrets off disk.
Why security tools fail to detect these attacks
Merritt Baer, CSO at Enkrypt AI and former deputy CISO at AWS, explains that these incidents appear as traditional security failures. “An exposed Langflow instance looks like an unauthenticated server in your cloud,” she said. “The alert, if it triggers, resembles an ordinary incident.”
The problem stems from how security tools monitor these frameworks. Web application firewalls track edge traffic, while endpoint detection systems observe process calls. Neither is built to inspect the internals of imported frameworks. “The exploit hides three layers deep in the code you imported,” Baer noted. “The WAF never sees the msgpack decoder. The EDR sees routine calls from the agent server and ignores them. Both tools function as designed—just not for this specific threat.”
She attributes the issue to insecure defaults. “Multi-agent collaboration platforms ship with the same mistake we’ve seen in every major protocol rollout,” Baer said. “Without built-in authentication and least privilege, we’ll spend the next decade cleaning up breaches.” Langflow’s auto-login and LangChain-core’s unprotected prompt loader exemplify this. “The convenient default becomes the vulnerability,” she added. “Once an agent connects to anything, that risk multiplies.”
Governance failures and unmanaged AI adoption
Assaf Keren, chief security officer at Qualtrics and former CISO at PayPal, points to a broader governance problem. “Most security teams still classify experience management platforms as low-risk survey tools,” he said. “This miscategorization applies equally to AI agent frameworks.” Teams deploy LangGraph, Langflow, and LangChain as developer conveniences, connecting them to databases, CRMs, and API keys without formal approval. “Security must enable innovation,” Keren said, “or teams will bypass it. These frameworks are the result of that bypass.”
Related: The Boys’ last season struggles culminated in strong finale
Financial incentives are shifting to address these risks. CrowdStrike reported its AI detection and response revenue surged over 250% sequentially in Q1 fiscal 2027. On June 17, the company expanded its runtime coverage to include agent, LLM, and MCP traffic on AWS. CEO George Kurtz emphasized the urgency: “Agents run on endpoints. They make tool calls, access files, invoke APIs, and move data at the process level.” That’s precisely the attack surface these vulnerabilities exploit—and the layer many application security scans overlook.
Communicating risks to leadership
Keren advises security teams to translate technical risks into business impact. “Most teams understand the technical blast radius,” he said. “But not the business consequences. When an AI engine executes a compensation adjustment based on poisoned data, it’s not just a security incident. It’s a wrong business decision made at machine speed.” A framework remote code execution vulnerability compounds this problem. The agent doesn’t merely leak credentials—it acts on production systems with them, creating outcomes no one can trace.
The solution doesn’t require a complete overhaul. Version updates, configuration changes, and a six-question checklist can address the core issues. Each question targets a trust boundary—from poisoned state stores to unauthenticated file writes—and maps to a specific patch, verification step, and board-ready explanation. The real exposure isn’t the vulnerability itself but the delay between patch release and deployment. For the Langflow flaw, that gap lasted nearly two months. The frameworks performed as designed. The infrastructure supporting them wasn’t prepared.
Security teams must treat these frameworks like any other production dependency: patch immediately upon disclosure and assume compromise until verified. Otherwise, the next exploit chain will emerge.
Leave a Reply