Scoopfeeds — Intelligent news, curated.
7,000 Langflow servers are under attack. LangGraph and LangChain have the same holes
ai

7,000 Langflow servers are under attack. LangGraph and LangChain have the same holes

VentureBeat AI · Jun 19, 2026, 9:14 PM

Why this matters: a development in AI with implications for how people work, create, and decide.

Your AI agent did exactly what it was designed to do. The framework underneath it just handed an attacker a shell on the box that holds your Open AI key, your database credentials, and your CRM tokens.That is not a hypothetical. In a few months, three of the most widely deployed AI agent frameworks each turned a known, ordinary bug class into a way through. Check Point Research chained a SQL injection in Lang Graph’s SQLite checkpointer to full remote code execution. Tenable and Vuln Check tracked a path traversal in Langflow’s file upload endpoint to active, in-the-wild RCE. Cyera documented a path traversal in LangChain-core’s prompt loader that reads your secrets off disk. Two paths to a shell, one to your keys. They are the same bug, wearing three frameworks.These frameworks became production infrastructure faster than anyone secured them. They store agent state, take file uploads, load prompt configs, and hold the credentials to databases, CRMs, and internal APIs. The edge tools watch traffic. The endpoint tools watch processes. Neither was built to treat an imported framework as a boundary worth guarding, and that blind spot is exactly where all three chains live, widening every week as these frameworks ship to production.The LangGraph chain, SQL injection to a Python shellStart with the one most teams pulled into production this quarter. LangGraph gives AI agents memory through checkpointers, the persistence layer that stores execution state. It has cleared over 50 million downloads a month. Yarden Porat of Check Point Research took that layer apart and found three vulnerabilities. Two of them chain to RCE.CVE-2025-67644, rated CVSS 7.3, is a SQL injection in the SQLite checkpointer. The function that builds the WHERE clause for checkpoint lookups drops user-controlled filter keys straight into the query with no parameterization and no escaping. This does not hit everyone, but where it hits, it is serious. A deployment is exposed when it self-hosts LangGraph on

Article preview — originally published by VentureBeat AI. Full story at the source.
Read full story on VentureBeat AI → More top stories

More in ai

TechCrunch AI
Encryption, spyware, and now Mythos: History shows why cyber export control doesn’t work
VentureBeat AI
Fine-tuning forgets. RAG leaks context. Hypernetworks build the model your agent needs on demand.
TechCrunch AI
Is the US government’s Anthropic ban accidentally helping the brand?
TechCrunch AI
The US banned Anthropic’s Fable 5 release, but the numbers don’t seem to care
TechCrunch AI
Billionaire Ambani wants AI in every call, app, and home

Browse all ai coverage →

Aggregated and edited by the Scoop newsroom. We surface news from VentureBeat AI alongside other reporting so you can compare coverage in one place. Editorial policy · Corrections · About Scoop