According to recent discoveries made by cybersecurity researchers, they have identified three significant vulnerabilities present in two highly utilized open-source development frameworks: LangChain and LangGraph. These two libraries can result in an attacker gaining access to highly sensitive information related to file system data, environment variables, or conversation history.
LangChain and its extension LangGraph are widely used by developers to build applications powered by large language models (LLMs). LangGraph, in particular, enables more complex, non-linear agentic workflows. Recent download statistics show that these two products – LangChain and LangChain-Core, for example – collectively have over fifty-two million and twenty-three million downloads respectively through PyPI (Python Package Index) within the last seven days; whereas LangGraph alone surpassed over nine million downloads).
As Cyera Security researcher Vladimir Tokarev stated, each one of the vulnerabilities discussed above provides exposure to a different type of sensitive enterprise data:
1. CVE-2026-34070 (CVSS 7.5) : An improper path traverse vulnerability exists within langchain_core/prompts/loading.py, which allows an attacker to access any file on a server if they can provide a specially crafted prompt template via the prompt-loading API.
2. CVE-2025-68664 (CVSS 9.3) : This vulnerability allows the attacker to execute a deserialization of untrusted data attack, leaking API keys and other sensitive data found in the environment; therefore, an attacker could potentially trick the system into treating malicious input as a valid pre-serialized LangChain object; this was originally called LangGrinch when it was disclosed by Cyata in December 2025.
3. CVE-2025-67644 (CVSS 7.3) : SQL injection vulnerability found in the SQLite checkpoint for LangGraph allows an attacker to launch an attack by manipulating the SQL query through a set of metadata filter keys and is likely to allow the attacker to perform any kind of action against the database.
If successfully exploited, these flaws could let attackers read sensitive configuration files (such as Docker settings), steal API credentials through prompt injection, or access full conversation histories from LLM-powered workflows.
The vulnerabilities have already been addressed in the following updated versions:
1. CVE 2026-34070 - langchain-core >= 1.2.22
2. CVE 2025-68664 - langchain-core 0.3.81 and 1.2.5
3. CVE 2025-67644 - langgraph-checkpoint-sqlite 3.0.1
Shortly after discovering this latest vulnerability, CVE 2026-33017 (Langflow) had already been exploited within 20 hours of its release date. This is an example of the rapid rate at which human threats are focusing on AI type tools.
According to Naveen Sunkavally (Chief Architect - Horizon3.ai), many of these problems arise from unauthenticated endpoints, which are used to execute arbitrary code upon invoke.
The findings serve as a timely reminder that even the foundational “plumbing” of AI applications is not immune to classic security problems like path traversal, unsafe deserialization, and SQL injection. Because LangChain sits at the center of a vast dependency ecosystem, a vulnerability in its core can ripple outward through hundreds of downstream libraries and integrations.
Recommendation
If you utilize LangChain, LangGraph, or any of their associated platforms/tools, it is important for you to check the version of the tool you have installed immediately and apply any patches available. Because development in AI environments often includes sensitive data, API keys, etc., it is extremely important to stay current with all updates to provide protection against other forms of attack.
Because of how fast many AI vulnerabilities have been exploited, it is highly recommended to treat these patches as high priority.
Source: The Hacker News
