Agent Framework Flaws Hit 7,000 Servers

If you’re running any of the popular AI agent frameworks LangGraph, Langflow, or LangChain-core, you might want to pay close attention. That’s not just a theoretical risk — some of these flaws are already being actively exploited in the wild.

Ai agent framework vulnerabilities

The most exposed framework appears to be Langflow, with roughly 7,000 instances sitting directly on the internet, the majority of them in North America. For anyone using these tools in production, this is a clear signal to review your security posture immediately. The vulnerabilities highlight a growing AI supply chain risk, where weaknesses in popular open-source components can cascade into serious breaches for the teams that rely on them.

Langflow’s Path Traversal and Auto-Login Flaw Exposed 7,000 Servers

A path traversal attack in Langflow’s file upload endpoint, tracked as CVE-2026-5027 (CVSS 8.8), paired with a dangerous default auto-login risk, put thousands of instances at immediate risk. Because Langflow ships with auto-login enabled, an attacker didn’t need any credentials to reach the vulnerable endpoint. This combination allowed them to read arbitrary files on the server or even write malicious ones, effectively giving them a foothold into your environment. VulnCheck confirmed active exploitation of this ai agent framework vulnerability in the wild as of June 9, meaning attackers are already moving fast. If you’re running an exposed Langflow instance, you need to treat this as an active threat — not a hypothetical one.

Fortunately, the Langflow security patch is available, so the fix is straightforward. First, update to the latest version immediately. Second, disable the default auto-login behavior — require authentication for every endpoint, even in development setups. Finally, review your logs for any signs of unusual file access or unexpected uploads. This incident is a clear reminder that even popular open-source agent frameworks can contain basic vulnerabilities that become serious when defaults aren’t hardened. Taking those steps now can prevent your server from becoming another confirmed case on someone’s list.

LangGraph’s Chained Vulnerabilities Enable Remote Code Execution

While hardening defaults is a smart first step, some AI agent framework vulnerabilities are trickier because they involve multiple flaws working together. LangGraph, a popular agent orchestration tool, has two separate issues that can be linked into a dangerous AI framework RCE chain. The first is an SQL injection in its SQLite checkpointer (CVE-2025-67644, CVSS 7.3). The second is a msgpack decoder that can import and call functions with attacker-supplied arguments (CVE-2026-28277, CVSS 6.8). On their own, each is concerning, but combined they give an attacker the ability to run arbitrary code on your server. The SQL injection lets them write malicious data into the checkpoint store, and the msgpack deserialization flaw then executes that data as code. This chain turns a database injection into full remote control.

LangGraph also has a third vulnerability in its Redis checkpointer (CVE-2026-27022, CVSS 6.5). This one doesn’t chain with the others, but it still creates a Redis checkpointer risk that could let an attacker tamper with stored agent states. Fortunately, as of now, no confirmed exploitation of any of these LangGraph flaws has been reported in the wild. That gives you time to patch. Update to the latest version, and if you use the Redis checkpointer, make sure it’s not exposed to untrusted networks. Chained vulnerabilities like these highlight why SQL injection in agent frameworks and similar issues deserve immediate attention—even if no one has weaponized them yet.

LangChain-core’s Disclosed CVE Lacks Public Details

Another layer of uncertainty comes from a different corner: LangChain-core. This popular library for building AI agent workflows has a disclosed CVE, but the details available are frustratingly incomplete. In the reports that exist, critical information is cut off—meaning you can’t see the severity score, the type of vulnerability, or whether it has been exploited in the wild. That leaves anyone using LangChain-core in a difficult spot. You know there’s a problem, but you don’t know how urgent it is or what steps to take. This is a classic case of an incomplete CVE disclosure, and it makes the LangChain-core vulnerability disclosure feel half-finished. Without a clear fix or mitigation, the library effectively remains an unpatched AI library for now. Your best move is to keep a close eye on the official LangChain GitHub repository and security advisories. Until more details emerge, treat the vulnerability as a potential risk—especially if you expose your agent to external inputs. This gap in information is itself a weakness, one that adds to the broader picture of AI agent framework vulnerabilities that remain unresolved.

The Two-Month Gap Between Langflow’s Patch and Confirmed Exploitation

That information gap isn’t just theoretical—it plays out in real-world timelines. Take Langflow, a popular open-source visual framework for building AI agents. The team patched a critical vulnerability in version 1.9.0, released on April 15. But attackers didn’t start exploiting it until June 9, nearly two months later. That’s a long exploitation window, and it raises some uncomfortable questions about how quickly you and other users actually apply patches. Why the delay? One likely reason is slow patch adoption—many teams don’t update right away, especially when a fix isn’t tied to a public exploit yet. Another factor could be the timing of a proof-of-concept (PoC) publication; if the PoC came out weeks after the patch, attackers had a ready-made weapon. Or perhaps the exploit was developed gradually, with attackers taking their time to craft a reliable attack. Whatever the cause, this gap between patch and exploitation is a classic example of how AI agent framework vulnerabilities can linger, even after a fix exists. It underscores the importance of not just knowing about a patch, but acting on it immediately—because the vulnerability disclosure timeline doesn’t end when the developer releases code; it ends when you actually deploy that update.

Common Root Cause: Default Insecure Configurations Across Frameworks

Beyond the urgency of patching, it’s worth examining why so many AI agent framework vulnerabilities share a common DNA. A recurring pattern is the reliance on default settings that prioritize ease-of-use over security. Take Langflow: its default configuration enables auto-login, meaning an attacker could access the system without any authentication at all. That single insecure default opened the door for unauthenticated exploitation. Similarly, LangGraph’s default checkpointers may not enforce proper validation, leaving data flows exposed. The root cause across these frameworks boils down to two things: insufficient input validation and open default configurations. When developers ship tools with “works out of the box” settings, they often skip essential security checks like requiring a login or validating user inputs. For you, this means that simply deploying a framework without reviewing its defaults can introduce serious risk. The lesson is clear: AI framework hardening must start with a security audit of every default configuration. Turn off auto-login, enforce validation, and treat any default setting as a potential vulnerability until proven otherwise. These default configuration risks are not just theoretical—they are the low-hanging fruit that attackers actively exploit.

Immediate Security Steps for Your AI Agent Frameworks

While the full scope of these AI agent framework vulnerabilities continues to unfold, you don’t have to wait for every detail to take action. Start with the frameworks that have confirmed fixes. For Langflow, the most critical step is straightforward: update to version 1.9.0 or later, which was released on April 15 specifically to patch the reported flaw. After updating, immediately disable the auto-login feature—this simple change removes a common entry point for unauthorized access. For LangGraph deployments, apply the latest version as well, and take the time to review your checkpoint configurations carefully. These settings can expose sensitive workflow data if left on defaults.

For LangChain-core, keep a close eye on vulnerability databases since an official patch may still be in progress. While you wait, implement network segmentation for your agent frameworks by restricting which IP addresses and ports can reach them. This limits the blast radius if an exploit is attempted. Treat this as your security checklist: update software, disable auto-login, review configurations, and lock down network exposure. Each step reduces the attack surface while you await permanent fixes.

Frequently Asked Questions

How can I tell if my LangGraph deployment is vulnerable to the SQL injection and msgpack decoder chain?

Check if your LangGraph instance exposes the default API endpoints without input sanitization. Review your server logs for unusual SQL queries or malformed msgpack payloads. A practical step is to audit your deployment’s network exposure and disable any unnecessary public endpoints.

What is the common root cause across LangGraph, Langflow, and LangChain-core vulnerabilities?

These Ai agent framework vulnerabilities share a reliance on insecure default configurations and insufficient input validation. In each case, the software trusts user-supplied data too freely, allowing attackers to inject malicious commands or traverse file paths. The core issue is that security hardening is left to the end user rather than enforced by the framework itself.

What immediate steps should I take to secure my AI agent frameworks against these flaws?

Start by restricting network access to your frameworks—never expose them directly to the internet without a reverse proxy or firewall. Then, update all components to the latest patched versions and disable any auto-login or default credentials. Finally, review official security advisories for each framework to see specific mitigation steps for your deployment.


Add Comment