LangChain, LangGraph Flaws Expose Files, Secrets, Databases in Widely Used AI Frameworks
LangChain, LangGraph Flaws Expose Files, Secrets, Databases in Widely Used AI Frameworks
https://thehackernews.com/2026/03/langchain-langgraph-flaws-expose-files.html
Publish Date: 2026-03-27 04:07:00
Source Domain: thehackernews.com
- Security Vulnerabilities in LangChain and LangGraph: Cybersecurity researchers identified three vulnerabilities in LangChain and LangGraph, enabling potential data exposure for filesystem files, environmental secrets, and conversation histories.
- Scope and Impact: The exposed data includes sensitive information like Docker configurations, API keys, environment secrets, and conversation histories used in sensitive workflows, posing a significant risk to enterprise usage.
- Details of Vulnerabilities:
- CVE-2026-34070 (Path Traversal): Allows unauthorized access to files via a specially crafted prompt template.
- CVE-2025-68664 (Deserialization): Leaks API keys and environment secrets by tricking the app into interpreting untrusted data as a serialized object.
- CVE-2025-67644 (SQL Injection): Enables manipulation of SQL queries within the LangGraph SQLite checkpoint implementation, allowing arbitrary SQL execution.
- Mitigation Measures: Patches are available in specific versions of the frameworks:
- CVE-2026-34070: langchain-core >=1.2.22
- CVE-2025-68664: langchain-core 0.3.81 and 1.2.5
- CVE-2025-67644: langgraph-checkpoint-sqlite 3.0.1.
- General Security Awareness: The findings highlight that AI frameworks are also susceptible to traditional security vulnerabilities, emphasizing the need for prompt application of patches.
- Recent Exploitation: Another critical flaw in Langflow (CVE-2026-33017) was actively exploited within 20 hours of disclosure, underscoring the urgency to patch vulnerabilities.
