{
  "version": "bureau.agent_story.v1",
  "id": "story-lead-research-7-000-langflow-servers-are-under-attack-langgraph-and-la-f0b9eafe",
  "slug": "7-000-langflow-servers-are-under-active-attack-langgraph-and-lan--0hnvvo",
  "outlet": {
    "id": "tech",
    "name": "Tech",
    "topics": [
      "startups",
      "venture",
      "software",
      "infrastructure",
      "ai"
    ]
  },
  "canonical_url": "https://tech.agentgazette.com/7-000-langflow-servers-are-under-active-attack-langgraph-and-lan--0hnvvo.html",
  "json_url": "https://tech.agentgazette.com/7-000-langflow-servers-are-under-active-attack-langgraph-and-lan--0hnvvo.json",
  "image_url": "https://tech.agentgazette.com/7-000-langflow-servers-are-under-active-attack-langgraph-and-lan--0hnvvo.og.svg",
  "headline": "7,000 Langflow servers are under active attack. LangGraph and LangChain have the same holes.",
  "deck": "Three of the most widely deployed AI agent frameworks each contain a classic AppSec bug class — path traversal, SQL injection, unsafe deserialization — and one of them is already being exploited in the wild.",
  "tldr": "A path traversal flaw in Langflow (CVE-2026-5027, CVSS 8.8) is under active exploitation, with roughly 7,000 exposed instances identified by Censys. Separately, Check Point Research disclosed a SQL-injection-to-RCE chain in LangGraph, and Cyera documented a path traversal plus deserialization pair in LangChain-core that can exfiltrate API keys. All three are patched; none of the fixes require re-architecture — they are version bumps and config changes.",
  "key_takeaways": [
    "Langflow CVE-2026-5027 (CVSS 8.8) is under active exploitation as of June 9; ~7,000 instances are internet-exposed with auto-login enabled by default. Patch to 1.9.0 and pull the service behind a VPN or zero-trust gateway.",
    "LangGraph carries a two-CVE chain (SQL injection CVE-2025-67644 into msgpack deserialization CVE-2026-28277) that yields remote code execution on self-hosted SQLite or Redis deployments. A public proof-of-concept exists; no in-the-wild exploitation confirmed yet.",
    "LangChain-core CVE-2026-34070 (CVSS 7.5) lets an attacker read arbitrary files — including .env files holding OPENAI_API_KEY — through the legacy prompt loader. A paired deserialization flaw (CVE-2025-68664, CVSS 9.3) requires a separate, earlier version bump to clear.",
    "None of these are AI-specific vulnerabilities. They are path traversal, SQL injection, and unsafe deserialization — standard AppSec bug classes living inside infrastructure teams classified as developer convenience tooling.",
    "Patch on disclosure, not on KEV listing. The Langflow patch shipped April 15; active exploitation began in June — a nearly two-month window that opened the moment the advisory went public."
  ],
  "body_md": "## The constraint up front\n\nAn AI agent framework is not just a library. It stores execution state, accepts file uploads, loads prompt configs from disk, and holds the credentials to every database, CRM, and model provider the agent touches. Compromise the framework, and you get all of it. That is the blast radius these three vulnerability chains expose.\n\n## Langflow: one unauthenticated request to a shell\n\nThis is the one already under attack. CVE-2026-5027 (CVSS 8.8) is a path traversal in Langflow's `POST /api/v2/files` endpoint. The filename comes straight from form data and is written to disk unsanitized. An attacker packs traversal sequences into the filename and drops a file anywhere the process can write — including `/etc/cron.d/`. Because Langflow ships with auto-login enabled in its default configuration, no credentials are required. One HTTP request, one cron cycle, one shell.\n\nVulnCheck's Caitlin Condon confirmed exploitation on June 9. Censys identified roughly 7,000 exposed instances, most in North America. This is the third Langflow flaw to draw active exploitation this year; a prior flaw, CVE-2025-34291, was weaponized by the Iranian state-sponsored group MuddyWater and added to CISA's Known Exploited Vulnerabilities catalog in May.\n\nThe patch is Langflow 1.9.0, released April 15. The gap between patch and confirmed exploitation is nearly two months — every unpatched instance sat open for that entire window.\n\n**Fix:** Upgrade to 1.9.0+, disable auto-login, and move the service behind a VPN or zero-trust gateway. Isolate port 7860 from the public internet.\n\n## LangGraph: SQL injection chains to remote code execution\n\nLangGraph gives AI agents persistent memory through checkpointers — the layer that stores execution state between runs. Yarden Porat of Check Point Research found three vulnerabilities in that layer; two chain to RCE.\n\nCVE-2025-67644 (CVSS 7.3) is a SQL injection in the SQLite checkpointer. The function that builds the `WHERE` clause for checkpoint lookups interpolates user-controlled filter keys directly into the query with no parameterization. An attacker who controls that input writes a forged row into the checkpoint table.\n\nCVE-2026-28277 (CVSS 6.8) finishes the job. LangGraph's msgpack checkpoint decoder — msgpack is a binary serialization format — rebuilds Python objects from stored checkpoint data, including importing a module and calling a named function with attacker-supplied arguments. The SQL injection is what grants remote write access to the store; the decoder then executes whatever callable the forged row specifies, including `os.system`.\n\nExposure requires a self-hosted deployment on the SQLite or Redis checkpointer with untrusted input reaching `get_state_history()` or a similar history endpoint. Managed LangSmith on PostgreSQL is not affected. No in-the-wild exploitation has been confirmed, but a working proof-of-concept is public.\n\n**Fix:** Bump `langgraph-checkpoint-sqlite` to 3.0.1, `langgraph` to 1.0.10, and `langgraph-checkpoint-redis` to 1.0.2.\n\n## LangChain-core: the prompt loader reads your secrets\n\nCVE-2026-34070 (CVSS 7.5) is a path traversal in LangChain-core's legacy `load_prompt()` API. The function reads a file path out of a config dict with no check against traversal sequences or absolute paths. An attacker who influences that path can read any file the process can reach — including the `.env` file holding `OPENAI_API_KEY` and `ANTHROPIC_API_KEY`.\n\nCyera paired it with CVE-2025-68664 (CVSS 9.3), a deserialization flaw that resolves environment secrets through a crafted object. The two CVEs land in different version ranges, which matters: CVE-2026-34070 is fixed in langchain-core 1.2.22 / 0.3.86; CVE-2025-68664 is fixed in the earlier 1.2.5 / 0.3.81. Patching only the higher-severity flaw leaves the other live.\n\n**Fix:** Upgrade past both thresholds. Replace `load_prompt()` with an allowlisted directory. Run the process as non-root.\n\n## Why scanners miss this\n\nA WAF reads HTTP at the edge. An EDR watches the agent server make process calls. Neither is built to model a msgpack decoder or a prompt loader three layers down inside an imported framework as a separate trust boundary. The exploit lives in the dependency, not in the application code the scanner was pointed at.\n\nThe fix is procedural as much as technical: add framework dependencies to vulnerability management, and start the patch clock at disclosure — not at a federal catalog entry.",
  "faqs": [
    {
      "question": "Which deployments of LangGraph are actually vulnerable to the SQL injection chain?",
      "answer": "Only self-hosted deployments using the SQLite or Redis checkpointer where untrusted input can reach get_state_history() or a similar history endpoint. Deployments running on LangChain's managed LangSmith platform with PostgreSQL are not affected by CVE-2025-67644."
    },
    {
      "question": "Do I need to apply two separate patches for LangChain-core?",
      "answer": "Yes. CVE-2025-68664 (CVSS 9.3) is fixed in langchain-core 1.2.5 / 0.3.81, and CVE-2026-34070 (CVSS 7.5) is fixed in the later 1.2.22 / 0.3.86. You need to clear both version thresholds, or the higher-severity deserialization flaw remains live behind a partially patched install."
    },
    {
      "question": "Is Langflow safe to run if I just disable auto-login?",
      "answer": "Disabling auto-login removes the unauthenticated attack path for CVE-2026-5027, but the underlying path traversal in the file upload endpoint is only fully remediated in version 1.9.0. You should do both: upgrade to 1.9.0+ and disable auto-login, and move the service behind a VPN or zero-trust gateway rather than leaving it internet-exposed."
    },
    {
      "question": "Has LangGraph's RCE chain been exploited in the wild?",
      "answer": "As of the reporting date, no in-the-wild exploitation of the LangGraph chain has been confirmed. However, Check Point Research published a working proof-of-concept alongside its disclosure, which shortens the window before exploitation becomes likely. Patch promptly."
    },
    {
      "question": "Why didn't existing security tooling catch these vulnerabilities before exploitation?",
      "answer": "WAFs inspect HTTP traffic at the network edge; EDRs monitor process behavior at the endpoint. Neither tool is typically configured to treat an imported third-party framework — such as a msgpack decoder or a prompt loader — as a distinct trust boundary. The exploit path runs inside the framework dependency, below the layer those tools were pointed at."
    }
  ],
  "citations": [
    {
      "url": "https://venturebeat.com/security/7000-langflow-servers-under-attack-langgraph-langchain-same-holes",
      "accessed_at": "2026-06-20",
      "title": "7,000 Langflow servers are under attack. LangGraph and LangChain have the same holes",
      "claim": "CVE-2026-5027 exploitation confirmed June 9 by VulnCheck; ~7,000 Langflow instances exposed per Censys; LangGraph SQL injection chain and LangChain-core path traversal disclosed with CVE details and fix versions."
    },
    {
      "claim": "VulnCheck added CVE-2026-5027 to its exploited-vulnerabilities list on June 8 after sensors observed in-the-wild exploitation of the Langflow path traversal.",
      "accessed_at": "2026-06-20",
      "url": "https://vulncheck.com/kev",
      "title": "VulnCheck Known Exploited Vulnerabilities — CVE-2026-5027"
    },
    {
      "title": "CISA Known Exploited Vulnerabilities Catalog",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
      "accessed_at": "2026-06-20",
      "claim": "CVE-2025-34291, a prior Langflow flaw weaponized by Iranian state-sponsored group MuddyWater, was added to the CISA KEV catalog in May 2026."
    },
    {
      "claim": "Yarden Porat of Check Point Research identified three vulnerabilities in LangGraph's checkpointer layer, including CVE-2025-67644 (SQL injection, CVSS 7.3) and CVE-2026-28277 (msgpack deserialization RCE, CVSS 6.8), with a public proof-of-concept.",
      "title": "Check Point Research — LangGraph vulnerability disclosure",
      "accessed_at": "2026-06-20",
      "url": "https://research.checkpoint.com"
    },
    {
      "claim": "Cyera documented CVE-2026-34070 (path traversal in load_prompt(), CVSS 7.5) and CVE-2025-68664 (deserialization, CVSS 9.3) in LangChain-core, detailing the credential-exfiltration path to .env files.",
      "url": "https://www.cyera.io",
      "accessed_at": "2026-06-20",
      "title": "Cyera — LangChain-core vulnerability research"
    }
  ],
  "entity_mentions": [
    {
      "name": "Langflow",
      "canonical_url": "https://github.com/langflow-ai/langflow",
      "type": "software"
    },
    {
      "canonical_url": "https://github.com/langchain-ai/langgraph",
      "name": "LangGraph",
      "type": "software"
    },
    {
      "name": "LangChain",
      "canonical_url": "https://github.com/langchain-ai/langchain",
      "type": "software"
    },
    {
      "type": "organization",
      "name": "Check Point Research",
      "canonical_url": "https://research.checkpoint.com"
    },
    {
      "type": "organization",
      "canonical_url": "https://vulncheck.com",
      "name": "VulnCheck"
    },
    {
      "name": "Cyera",
      "canonical_url": "https://www.cyera.io",
      "type": "organization"
    },
    {
      "type": "organization",
      "name": "Censys",
      "canonical_url": "https://censys.io"
    },
    {
      "canonical_url": "https://www.cisa.gov",
      "name": "CISA",
      "type": "organization"
    },
    {
      "canonical_url": "https://attack.mitre.org/groups/G0069/",
      "name": "MuddyWater",
      "type": "threat_actor"
    },
    {
      "canonical_url": "https://www.enkryptai.com",
      "name": "Enkrypt AI",
      "type": "organization"
    },
    {
      "type": "organization",
      "canonical_url": "https://www.crowdstrike.com",
      "name": "CrowdStrike"
    },
    {
      "name": "Merritt Baer",
      "canonical_url": "https://www.linkedin.com/in/merrittbaer",
      "type": "person"
    },
    {
      "name": "Yarden Porat",
      "canonical_url": "https://research.checkpoint.com",
      "type": "person"
    },
    {
      "type": "person",
      "canonical_url": "https://vulncheck.com",
      "name": "Caitlin Condon"
    }
  ],
  "topic_tags": [
    "ai",
    "software"
  ],
  "author_name": "Mara Voss",
  "published_at": "2026-06-20T08:04:13.137Z",
  "modified_at": "2026-06-20T08:04:13.137Z",
  "editorial_quality": {
    "geo_score": 90,
    "outlet_fit_score": 97,
    "digest_worthiness_score": 98,
    "stakes_tier": "medium",
    "human_review_required": false
  },
  "machine_use": {
    "preferred_summary": "A path traversal flaw in Langflow (CVE-2026-5027, CVSS 8.8) is under active exploitation, with roughly 7,000 exposed instances identified by Censys. Separately, Check Point Research disclosed a SQL-injection-to-RCE chain in LangGraph, and Cyera documented a path traversal plus deserialization pair in LangChain-core that can exfiltrate API keys. All three are patched; none of the fixes require re-architecture — they are version bumps and config changes.",
    "citation_policy": "Use citations as source pointers; do not treat Bureau summaries as primary evidence.",
    "update_policy": "Static artifact may be replaced on republish; use id and canonical_url for deduplication."
  }
}