Cybersecurity researchers have disclosed three security vulnerabilities impacting LangChain and LangGraph that, if efficiently exploited, might expose filesystem information, surroundings secrets and techniques, and dialog historical past.
Each LangChain and LangGraph are open-source frameworks which might be used to construct purposes powered by Massive Language Fashions (LLMs). LangGraph is constructed on the foundations of LangChain for extra subtle and non-linear agentic workflows. In keeping with statistics on the Python Package deal Index (PyPI), LangChain, LangChain-Core, and LangGraph have been downloaded greater than 52 million, 23 million, and 9 million instances final week alone.
“Every vulnerability exposes a special class of enterprise information: filesystem recordsdata, surroundings secrets and techniques, and dialog historical past,” Cyera security researcher Vladimir Tokarev mentioned in a report printed Thursday.
The problems, in a nutshell, supply three unbiased paths that an attacker can leverage to empty delicate information from any enterprise LangChain deployment. Particulars of the vulnerabilities are as follows –
- CVE-2026-34070 (CVSS rating: 7.5) – A path traversal vulnerability in LangChain (“langchain_core/prompts/loading.py”) that enables entry to arbitrary recordsdata with none validation by way of its prompt-loading API by supplying a specifically crafted immediate template.
- CVE-2025-68664 (CVSS rating: 9.3) – A deserialization of untrusted information vulnerability in LangChain that leaks API keys and surroundings secrets and techniques by passing as enter an information construction that tips the applying into decoding it as an already serialized LangChain object quite than common consumer information.
- CVE-2025-67644 (CVSS rating: 7.3) – An SQL injection vulnerability in LangGraph SQLite checkpoint implementation that enables an attacker to govern SQL queries by way of metadata filter keys and run arbitrary SQL queries in opposition to the database.
Profitable exploitation of the aforementioned flaws might enable an attacker to learn delicate recordsdata like Docker configurations, siphon delicate secrets and techniques by way of immediate injection, and entry dialog histories related to delicate workflows. It is value noting that particulars of CVE-2025-68664 had been additionally shared by Cyata in December 2025, giving it the cryptonym LangGrinch.
The vulnerabilities have been patched within the following variations –
- CVE-2026-34070 – langchain-core >=1.2.22
- CVE-2025-68664 – langchain-core 0.3.81 and 1.2.5
- CVE-2025-67644 – langgraph-checkpoint-sqlite 3.0.1
The findings as soon as once more underscore how synthetic intelligence (AI) plumbing is just not proof against traditional security vulnerabilities, doubtlessly placing whole programs in danger.
The event comes days after a essential security flaw impacting Langflow (CVE-2026-33017, CVSS rating: 9.3) has come below energetic exploitation inside 20 hours of public disclosure, enabling attackers to exfiltrate delicate information from developer environments.
Naveen Sunkavally, chief architect at Horizon3.ai, mentioned the vulnerability shares the identical root trigger as CVE-2025-3248, and stems from unauthenticated endpoints executing arbitrary code. With menace actors shifting rapidly to take advantage of newly disclosed flaws, it is important that customers apply the patches as quickly as doable for optimum safety.
“LangChain would not exist in isolation. It sits on the middle of a large dependency net that stretches throughout the AI stack. A whole bunch of libraries wrap LangChain, prolong it, or rely upon it,” Cyera mentioned. “When a vulnerability exists in LangChain’s core, it doesn’t simply have an effect on direct customers. It ripples outward by way of each downstream library, each wrapper, each integration that inherits the weak code path.”
