Approximately 7,000 instances of the Langflow AI framework are currently exposed to the public internet, leaving critical enterprise infrastructure vulnerable to remote code execution (RCE) attacks. Security researchers have identified that these vulnerabilities exist not within the frontier models themselves, but within the underlying frameworks—such as Langflow, LangGraph, and LangChain—that businesses are rapidly deploying to production. These frameworks, which often handle sensitive database credentials, CRM tokens, and proprietary API keys, are currently being targeted by exploit chains that leverage long-standing, non-AI-specific bug classes, according to technical analysis from firms including Check Point Research, VulnCheck, and Cyera.
The urgency of the situation stems from a critical security gap: while organizations are monitoring their AI models for “hallucinations” or prompt injections, they are often neglecting the security hygiene of the server-side frameworks running those agents. Because these tools were adopted rapidly, they have frequently been deployed without standard authentication or least-privilege access controls. As reported by the Cybersecurity and Infrastructure Security Agency (CISA), previous flaws in similar tooling have already been weaponized by state-sponsored actors, signaling that the window for remediation is closing as attackers pivot toward these unpatched, internet-facing assets.
The Mechanics of the Attack: From Path Traversal to RCE
The current wave of exploitation centers on CVE-2026-5027, a path traversal vulnerability in Langflow’s file upload endpoint that carries a CVSS score of 8.8. According to data from VulnCheck, the vulnerability allows an unauthenticated attacker to manipulate the filename in a POST request to the /api/v2/files endpoint. By using traversal sequences, an attacker can write malicious files to arbitrary locations on the host system, such as /etc/cron.d/, effectively gaining a remote shell. The severity is compounded by the fact that Langflow’s default configuration often ships with auto-login enabled, meaning many of the 7,000 instances identified by Censys can be compromised without any valid credentials.
The timeline for this vulnerability highlights a significant failure in enterprise patch management. The patch for CVE-2026-5027 was officially released on April 15, yet exploitation sensors began recording hits in early June. VulnCheck researchers confirmed that by June 9, attackers were actively using this path traversal to drop test files on victim systems, proving that a gap of nearly two months between disclosure and patching is sufficient for threat actors to weaponize a publicly known flaw. This pattern serves as a warning: security teams must prioritize patching based on the date of public disclosure rather than waiting for an entry to appear in federal vulnerability catalogs.
Framework Vulnerabilities: LangGraph and LangChain-core
Beyond Langflow, other widely used frameworks are facing similar scrutiny. Check Point Research documented a chain of vulnerabilities in LangGraph, a framework used to provide agents with memory through a persistence layer known as a checkpointer. The vulnerability, CVE-2025-67644, is a SQL injection in the SQLite checkpointer that allows an attacker to inject fabricated rows into the checkpoint table. When combined with CVE-2026-28277, an unsafe deserialization flaw, an attacker can trigger the execution of arbitrary Python code, such as os.system, under the identity of the agent server. While no confirmed in-the-wild exploitation has been reported for the LangGraph chain as of the latest security advisories, a functional proof-of-concept is publicly available, necessitating immediate upgrades to langgraph-checkpoint-sqlite version 3.0.1 and related components.
Simultaneously, research from Cyera has highlighted risks within LangChain-core, specifically CVE-2026-34070. This path traversal vulnerability in the legacy load_prompt() API allows attackers to read sensitive files from the disk, including .env files that frequently house OPENAI_API_KEY or ANTHROPIC_API_KEY credentials. This flaw is often paired with a separate deserialization vulnerability, CVE-2025-68664, which can be exploited to resolve environment secrets. Security teams must ensure that both vulnerabilities are addressed, as patching only one leaves the system exposed to the other. The fix involves upgrading to version 1.2.22 or 0.3.86 for langchain-core, depending on the environment.
Why Traditional Security Scanners Miss the Threat
The difficulty in detecting these attacks lies in the “blind spot” where traditional security tools meet modern AI infrastructure. Merritt Baer, a veteran security executive, has noted that these failures often do not appear as “AI risks” to a Chief Information Security Officer (CISO). Instead, they manifest as traditional security program failures—unauthenticated servers or exposed endpoints. Web Application Firewalls (WAFs) are typically configured to scan for standard web traffic patterns, while Endpoint Detection and Response (EDR) systems may perceive the agent server’s activities as normal operations, as the framework is essentially performing its intended, albeit insecure, functions.
As CrowdStrike noted in its recent earnings and technical updates, AI agents function at the process level, making tool calls, accessing files, and invoking APIs. This reality has led to a massive increase in demand for AI-specific detection and response capabilities. Because these frameworks were built for developer convenience rather than secure-by-default production environments, they often lack the hardened authentication and least-privilege configurations required for enterprise security. The current risk is that these frameworks have become “shadow IT”—deployed by development teams without formal security review, thereby bypassing standard change management and governance protocols.
Governance and Remediation Strategy
To address these risks, organizations must move beyond simple CVE tracking and implement a structured trust-boundary assessment. The following table outlines the critical questions that security teams should address immediately to secure their AI agent deployments:
| Trust Boundary | Vulnerability | Required Action |
|---|---|---|
| Agent State Store | LangGraph SQLi/RCE | Upgrade to langgraph-checkpoint-sqlite 3.0.1+ |
| File Uploads | Langflow Path Traversal | Disable auto-login; upgrade to 1.9.0+ |
| Prompt Loading | LangChain-core Traversal | Upgrade to langchain-core 1.2.22 / 0.3.86+ |
The business impact of these vulnerabilities extends beyond simple data leaks. As noted by security leaders, the “business blast radius” can be significant; if an agent is compromised, it can perform unauthorized actions on production systems at machine speed, such as altering business logic or triggering improper financial transactions. The primary remedy is not a complete re-architecture of the AI stack, but a commitment to rigorous dependency management and the implementation of zero-trust access controls for all AI-enabled tooling. Organizations should look to official vendor release notes—such as those maintained by LangChain’s GitHub repository—to verify their current versioning and ensure that all patches are applied before the next production cycle.
Security teams are encouraged to maintain a regular cadence of discovery sweeps to identify any unauthorized AI frameworks operating within their network perimeter. By treating these frameworks as high-risk infrastructure and bringing them under formal governance, companies can continue to leverage AI innovation without inheriting the supply chain risks associated with insecure, default configurations. Readers are encouraged to share their experiences with securing AI agent frameworks in the comments below, as the industry continues to refine best practices for this rapidly evolving layer of the technology stack.