The AI agent revolution is moving fast — and the security infrastructure around it is struggling to keep up. Langflow, LangChain, and LangGraph have become the default plumbing for tens of millions of AI-powered applications, from enterprise chatbots and RAG pipelines to fully autonomous multi-agent systems. But in 2025 and 2026, a cascade of critical vulnerabilities across all three frameworks has turned that plumbing into a series of open floodgates. If your organisation is building or running AI agents on any of these tools, this is not a story you can afford to skim.

The Scale of the Problem: Why These Frameworks Are High-Value Targets

To understand the severity of these risks, you first need to appreciate just how embedded these tools are.

According to statistics on the Python Package Index (PyPI), LangChain, LangChain-Core, and LangGraph have been downloaded more than 52 million, 23 million, and 9 million times in a single week alone.

Langflow itself is an open-source, low-code visual framework for building AI workflows, RAG applications, and multi-agent systems, boasting over 140,000 GitHub stars.

That massive adoption creates a massive attack surface.

Teams file LangGraph, Langflow, and LangChain under developer convenience, then wire them into databases, CRMs, and provider keys

— often without treating them with the same security scrutiny applied to traditional enterprise software. That miscategorisation is exactly what threat actors are exploiting.

Langflow: From Research Tool to Active Exploitation Target

CVE-2025-3248: The Critical RCE That Shook the AI World

CVE-2025-3248 is a critical remote code execution (RCE) vulnerability with a CVSS score of 9.8, discovered in Langflow, an open-source platform for visually composing AI-driven agents and workflows.

The issue resides in the platform's /api/v1/validate/code endpoint, which improperly invokes Python's built-in exec() function on user-supplied code without authentication or sandboxing — allowing attackers to exploit the API and execute arbitrary commands on the server.

This vulnerability is easily exploitable and enables unauthenticated remote attackers to fully compromise Langflow servers.

What makes the timeline particularly alarming is how long this flaw lingered.

A nearly two-year arc from initial discovery to final fix represents an unusually long window that exposes architectural trade-offs and how Langflow's security posture evolved.

The real-world consequences came quickly.

An active campaign exploiting CVE-2025-3248 in Langflow versions before 1.3.0 deployed the Flodrix botnet, enabling threat actors to achieve full system compromise, initiate DDoS attacks, and potentially exfiltrate sensitive data.

On May 5, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-3248 to its Known Exploited Vulnerabilities (KEV) catalog, indicating confirmed exploitation in the wild.

Cybersecurity firm GreyNoise observed 361 malicious IP addresses attempting to exploit CVE-2025-3248, primarily targeting systems in the US, Australia, Singapore, Germany, and Mexico.

CVE-2025-34291: Account Takeover Via Three Chained Weaknesses

The danger didn't stop there.

A further flaw, tracked as CVE-2025-34291 (CVSS v4.0: 9.4), enables an attacker to achieve complete account takeover and Remote Code Execution simply by having a user visit a malicious webpage.

The vulnerability chain exploits three combined weaknesses: overly permissive CORS that allows cross-origin requests with credentials from any source, a lack of CSRF protection on the token refresh endpoint, and a code validation endpoint that allows code execution by design.

The impact is severe: successful exploitation not only compromises the Langflow instance but also exposes all sensitive access tokens and API keys stored within the workspace.

LangChain and LangGraph: Classic Bugs in Cutting-Edge AI Infrastructure

In March 2026, a coordinated disclosure revealed that the problems extended far beyond Langflow.

A disclosure by Cyera Research identified multiple high- and critical-severity vulnerabilities across LangChain and LangGraph, compounding a pattern of serious flaws documented throughout 2024 and 2025.

Three CVEs, Three Classes of Enterprise Data Exposed

"Each vulnerability exposes a different class of enterprise data: filesystem files, environment secrets, and conversation history," said security researcher Vladimir Tokarev of Cyera.

The three vulnerabilities break down as follows:

A path traversal vulnerability in LangChain that allows access to arbitrary files without any validation via its prompt-loading API by supplying a specially crafted prompt template.

The highest-severity vulnerability in this analysis cycle enables serialization injection that allows an attacker to leverage prompt injection to escalate into arbitrary code execution and secret extraction from environment variables.

An SQL injection vulnerability in LangGraph's SQLite checkpoint implementation that allows an attacker to manipulate SQL queries through metadata filter keys and run arbitrary SQL queries against the database.

The Ripple Effect: Why Your Whole Stack Is at Risk

Perhaps the most sobering aspect of these LangChain and LangGraph vulnerabilities is how far their reach extends.

LangChain doesn't exist in isolation — it sits at the center of a massive dependency web that stretches across the AI stack, with hundreds of libraries wrapping LangChain, extending it, or depending on it.

Researchers warn that vulnerabilities ripple outward through every downstream library, wrapper, and integration inheriting the vulnerable code paths.

What makes CVE-2025-68664 particularly dangerous is its attack chain: a malicious payload does not need to arrive through a network port scanner or brute-force login attempt — it arrives through an LLM prompt, possibly injected via a poisoned document in a RAG knowledge base, a compromised web page fetched by an AI browsing agent, or an adversarial email processed by an AI assistant.

The Root Cause: Old Vulnerabilities, New Infrastructure

A striking observation across all three frameworks is that these aren't exotic, AI-specific flaws.

Three frameworks, three classic AppSec bugs: path traversal, SQL injection, and unsafe deserialization — nothing exotic, nothing AI-specific, just old vulnerabilities living inside new infrastructure.

Developers building AI infrastructure must apply robust security practices including strict authentication, input validation, sandboxing, and minimal privilege — especially when processing user-supplied code. Addressing such issues early in the development lifecycle will be critical for ensuring the secure growth of LLM-powered applications.

The speed-to-market culture in AI tooling has exacerbated this.

In AI especially, teams rush to build and win adoption, and security trails behind.

That trail needs to close — urgently.

Practical Tips: What You Should Do Right Now

Here's a concrete action plan for security teams and AI developers:

1. Patch Immediately

Teams should treat the following upgrades as urgent remediation actions: langchain-core >= 0.3.81 (CVE-2025-68664), langchain-core >= 1.2.22 (CVE-2026-34070), langgraph-checkpoint >= 3.0, and langgraph-checkpoint-sqlite >= 3.0.1.

For Langflow, upgrade to version 1.3.0 or later immediately.

2. Audit Your Full Dependency Graph

Because langchain, langchain-core, langchain-community, langchain-experimental, langgraph, langgraph-checkpoint, and langgraph-checkpoint-sqlite are versioned independently, a single pip install langchain --upgrade does not guarantee that all vulnerable components are addressed.

Dependency tracking tools such as Dependabot, Snyk, or Renovate should be configured to monitor each package independently and to alert on new CVEs.

3. Restrict Public Access

Organisations running Langflow should immediately patch and upgrade to version 1.3.0 or later, restrict public access to Langflow endpoints, and monitor for indicators of compromise associated with the Flodrix botnet.

For LangGraph,

if you're managing self-hosted AI, your priority has to be isolation.

4. Apply Least-Privilege Principles

Scope permissions specifically to the application's needs. Granting broad or excessive permissions can introduce significant security vulnerabilities. Consider using read-only credentials, disallowing access to sensitive resources, and using sandboxing techniques such as running inside a container.

5. Treat LLM Outputs as Untrusted Input

Researchers urge the community to treat LLM outputs as "untrusted input", since different fields can be influenced by prompt injection.

Do not pass external or user-controlled data directly into prompt-loading or serialization functions without validation.

6. Don't Enable secrets_from_env by Default

Any code that passes external or user-controlled configurations to load_prompt_from_config() or load_prompt() needs to be audited, and developers should not enable secrets_from_env=True when deserializing untrusted data. "The new default is False. Keep it that way," researchers warned.

7. Monitor for Active Exploitation

If upgrading is not possible, secure Langflow by restricting network access through a firewall and blocking public access to the /api/v1/validate/code endpoint. Additionally, monitor logs for suspicious POST requests on the endpoint.

Conclusion: AI Security Is Not Optional

The vulnerabilities in Langflow, LangChain, and LangGraph are a watershed moment for AI security.

These disclosures show how quickly threat actors are moving to target AI infrastructure after disclosure. Once high-profile AI framework vulnerabilities become public, organisations should expect rapid scanning, probing, and opportunistic exploitation attempts.

The tools powering the next generation of intelligent applications are built on the same foundations as every other piece of software — and they carry the same old risks.

Organisations building agentic AI applications on these frameworks face material risk until all affected components are patched.

The good news is that patches exist. The bad news is that unpatched systems are being actively hunted right now.

Don't wait for a breach to take AI security seriously. If you're running AI agents in production, conduct a full dependency audit today, enforce network isolation, apply the patches listed above, and build a continuous monitoring process for AI framework CVEs. Your AI stack is only as secure as its most vulnerable component — and right now, those components are under active attack.