The constraint up front

An AI agent framework is not just a library. It stores execution state, accepts file uploads, loads prompt configs from disk, and holds the credentials to every database, CRM, and model provider the agent touches. Compromise the framework, and you get all of it. That is the blast radius these three vulnerability chains expose.

Langflow: one unauthenticated request to a shell

This is the one already under attack. CVE-2026-5027 (CVSS 8.8) is a path traversal in Langflow's `POST /api/v2/files` endpoint. The filename comes straight from form data and is written to disk unsanitized. An attacker packs traversal sequences into the filename and drops a file anywhere the process can write — including `/etc/cron.d/`. Because Langflow ships with auto-login enabled in its default configuration, no credentials are required. One HTTP request, one cron cycle, one shell.

VulnCheck's Caitlin Condon confirmed exploitation on June 9. Censys identified roughly 7,000 exposed instances, most in North America. This is the third Langflow flaw to draw active exploitation this year; a prior flaw, CVE-2025-34291, was weaponized by the Iranian state-sponsored group MuddyWater and added to CISA's Known Exploited Vulnerabilities catalog in May.

The patch is Langflow 1.9.0, released April 15. The gap between patch and confirmed exploitation is nearly two months — every unpatched instance sat open for that entire window.

**Fix:** Upgrade to 1.9.0+, disable auto-login, and move the service behind a VPN or zero-trust gateway. Isolate port 7860 from the public internet.

LangGraph: SQL injection chains to remote code execution

LangGraph gives AI agents persistent memory through checkpointers — the layer that stores execution state between runs. Yarden Porat of Check Point Research found three vulnerabilities in that layer; two chain to RCE.

CVE-2025-67644 (CVSS 7.3) is a SQL injection in the SQLite checkpointer. The function that builds the `WHERE` clause for checkpoint lookups interpolates user-controlled filter keys directly into the query with no parameterization. An attacker who controls that input writes a forged row into the checkpoint table.

CVE-2026-28277 (CVSS 6.8) finishes the job. LangGraph's msgpack checkpoint decoder — msgpack is a binary serialization format — rebuilds Python objects from stored checkpoint data, including importing a module and calling a named function with attacker-supplied arguments. The SQL injection is what grants remote write access to the store; the decoder then executes whatever callable the forged row specifies, including `os.system`.

Exposure requires a self-hosted deployment on the SQLite or Redis checkpointer with untrusted input reaching `get_state_history()` or a similar history endpoint. Managed LangSmith on PostgreSQL is not affected. No in-the-wild exploitation has been confirmed, but a working proof-of-concept is public.

**Fix:** Bump `langgraph-checkpoint-sqlite` to 3.0.1, `langgraph` to 1.0.10, and `langgraph-checkpoint-redis` to 1.0.2.

LangChain-core: the prompt loader reads your secrets

CVE-2026-34070 (CVSS 7.5) is a path traversal in LangChain-core's legacy `load_prompt()` API. The function reads a file path out of a config dict with no check against traversal sequences or absolute paths. An attacker who influences that path can read any file the process can reach — including the `.env` file holding `OPENAI_API_KEY` and `ANTHROPIC_API_KEY`.

Cyera paired it with CVE-2025-68664 (CVSS 9.3), a deserialization flaw that resolves environment secrets through a crafted object. The two CVEs land in different version ranges, which matters: CVE-2026-34070 is fixed in langchain-core 1.2.22 / 0.3.86; CVE-2025-68664 is fixed in the earlier 1.2.5 / 0.3.81. Patching only the higher-severity flaw leaves the other live.

**Fix:** Upgrade past both thresholds. Replace `load_prompt()` with an allowlisted directory. Run the process as non-root.

Why scanners miss this

A WAF reads HTTP at the edge. An EDR watches the agent server make process calls. Neither is built to model a msgpack decoder or a prompt loader three layers down inside an imported framework as a separate trust boundary. The exploit lives in the dependency, not in the application code the scanner was pointed at.

The fix is procedural as much as technical: add framework dependencies to vulnerability management, and start the patch clock at disclosure — not at a federal catalog entry.