Executive Summary
In early 2026, multiple security vulnerabilities were identified in LangChain and LangGraph, two widely used open-source frameworks for building applications powered by Large Language Models (LLMs). These vulnerabilities include Server-Side Request Forgery (SSRF) in LangChain versions prior to 1.2.11, Regular Expression Denial-of-Service (ReDoS) in versions up to 0.3.1, and a critical Remote Code Execution (RCE) flaw in LangGraph's caching layer before version 4.0.0. Exploitation of these vulnerabilities could lead to unauthorized access to sensitive data, execution of arbitrary code, and potential system compromise. (stack.watch)
The discovery of these vulnerabilities underscores the importance of rigorous security practices in the development and maintenance of AI frameworks. As LLM-powered applications become increasingly prevalent, ensuring the security of underlying frameworks is crucial to prevent potential exploitation by malicious actors.
Why This Matters Now
The recent identification of critical vulnerabilities in LangChain and LangGraph highlights the urgent need for developers and organizations to promptly update their systems to the latest patched versions. Failure to do so may expose applications to significant security risks, including data breaches and unauthorized code execution.
Attack Path Analysis
An attacker exploited a serialization injection vulnerability in LangChain Core to inject malicious data, leading to unauthorized access to sensitive environment variables and potential code execution. This allowed the attacker to escalate privileges by accessing and manipulating environment secrets. Subsequently, the attacker moved laterally within the cloud environment by leveraging the compromised credentials to access other services and data. The attacker established command and control by executing arbitrary code, enabling persistent access and control over the compromised systems. Sensitive data, including API keys and credentials, were exfiltrated from the environment. The attack resulted in significant impact, including potential data breaches and unauthorized access to critical systems.
Kill Chain Progression
Initial Compromise
Description
An attacker exploited a serialization injection vulnerability in LangChain Core to inject malicious data, leading to unauthorized access to sensitive environment variables and potential code execution.
Related CVEs
CVE-2026-34070
CVSS 7.5A path traversal vulnerability in LangChain allows access to arbitrary files without validation via its prompt-loading API.
Affected Products:
LangChain langchain-core – < 1.2.22
Exploit Status:
no public exploitCVE-2025-68664
CVSS 8.2A deserialization of untrusted data vulnerability in LangChain leaks API keys and environment secrets by misinterpreting input data structures.
Affected Products:
LangChain langchain-core – 0.3.81, 1.2.5
Exploit Status:
no public exploitCVE-2025-67644
CVSS 7.8An SQL injection vulnerability in LangGraph's SQLite checkpoint implementation allows manipulation of SQL queries through metadata filter keys.
Affected Products:
LangChain langgraph-checkpoint-sqlite – < 3.0.1
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
File and Directory Discovery
Unsecured Credentials
Data from Local System
Email Collection
Application Layer Protocol
Exfiltration Over Web Service
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Secure Development Practices
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Data Security
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
LangChain/LangGraph vulnerabilities directly impact AI application developers, exposing filesystem data, environment secrets, and conversation history in widely-used LLM frameworks.
Information Technology/IT
Software vulnerabilities in popular AI frameworks create significant security risks for IT infrastructure managing LLM applications and automated systems.
Financial Services
AI framework flaws threaten sensitive financial data and compliance requirements, particularly impacting automated trading systems and customer service chatbots.
Health Care / Life Sciences
LangChain vulnerabilities pose critical risks to healthcare AI applications handling patient data, potentially violating HIPAA compliance and exposing medical records.
Sources
- LangChain, LangGraph Flaws Expose Files, Secrets, Databases in Widely Used AI Frameworkshttps://thehackernews.com/2026/03/langchain-langgraph-flaws-expose-files.htmlVerified
- LangGraph's SQLite store implementation has a SQL Injection Vulnerabilityhttps://github.com/advisories/GHSA-4h97-wpxp-3757Verified
- LangGraph checkpoint loading has unsafe msgpack deserializationhttps://advisories.gitlab.com/pkg/pypi/langgraph/CVE-2026-28277/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it embeds security directly into the cloud fabric, potentially limiting unauthorized access and lateral movement by enforcing identity-aware policies and workload isolation.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to execute arbitrary code and access sensitive environment variables would likely be constrained, reducing the risk of initial compromise.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges by accessing and manipulating environment secrets would likely be constrained, reducing the risk of unauthorized privilege escalation.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally within the cloud environment to access other services and data would likely be constrained, reducing the risk of unauthorized lateral movement.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish command and control by executing arbitrary code would likely be constrained, reducing the risk of persistent access and control over compromised systems.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data, including API keys and credentials, would likely be constrained, reducing the risk of data breaches.
The overall impact of the attack, including potential data breaches and unauthorized access to critical systems, would likely be constrained, reducing the risk of significant damage.
Impact at a Glance
Affected Business Functions
- Data Management
- Application Security
- User Privacy
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive files, environment secrets, and conversation histories.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to enforce least privilege access and prevent unauthorized lateral movement.
- • Deploy Inline IPS (Suricata) to detect and block known exploit patterns and malicious payloads.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to suspicious activities promptly.
- • Apply Multicloud Visibility & Control to monitor and manage security policies across cloud environments.
- • Enforce Egress Security & Policy Enforcement to control outbound traffic and prevent data exfiltration.
