Critical RCE Vulnerability Chain Disclosed in LangGraph AI Framework A newly disclosed vulnerability chain in LangGraph, an open-source AI agent framework developed by the creators of LangChain, enables attackers to achieve remote code execution (RCE) on self-hosted deployments. With 46.5 million monthly downloads, LangGraph is widely adopted in enterprise environments, amplifying the risk of exploitation. The flaws stem from the `get_state_history()` function, which retrieves agent checkpoints essentially the AI’s memory from a persistence layer. The vulnerabilities include: - CVE-2025-67644 (CVSS 7.3): An SQL injection flaw in the SQLite checkpointer’s `_metadata_predicate()` function, where user-controlled metadata filter keys are unsafely interpolated into SQL queries, allowing arbitrary SQL manipulation. - CVE-2026-28277: An unsafe msgpack deserialization flaw in the checkpoint loading mechanism. Attackers can exploit the SQL injection to inject malicious msgpack payloads, reconstructing harmful Python objects and triggering `os.system()` execution. - CVE-2026-27022: A similar query injection issue in the Redis checkpointer backend. A successful exploit grants attackers full server compromise, exposing LLM API keys, conversation histories, CRM credentials, customer PII, and internal network access far beyond the scope of a single-session prompt injection. Unlike transient attacks, this provides persistent, retrospective access to all agent operations. The vulnerabilities affect self-hosted deployments using SQLite or Redis checkpointers with user-controllable filter input. LangChain’s managed platform (using PostgreSQL) remains unaffected. Patches are available: - CVE-2025-67644: `langgraph-checkpoint-sqlite ≥ 3.0.1` - CVE-2026-28277: `langgraph ≥ 1.0.10` - CVE-2026-27022: `langgraph-checkpoint-redis ≥ 1.0.2` The incident underscores a growing risk in AI frameworks: traditional vulnerabilities like SQL injection become far more dangerous when embedded in systems with elevated access, long-lived secrets, and trusted identities. Organizations running LangGraph in production are advised to apply patches immediately.

Critical SSRF Vulnerability Patched in LangChain’s @langchain/community Package The LangChain development team has released a security update for the @langchain/community package to fix a Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-26019) in the RecursiveUrlLoader class. The flaw, rated 6.1 (Moderate), allowed attackers to bypass domain restrictions and access internal network resources or cloud metadata services. The vulnerability stemmed from weak URL validation in the RecursiveUrlLoader, which relied on a simple String.startsWith() check rather than strict origin validation. This enabled attackers to craft malicious domains (e.g., example.com.attacker.com) that evaded the preventOutside restriction, designed to keep crawlers within the same domain. Additionally, the utility lacked validation against private IP ranges, allowing attackers to force requests to internal services, localhost, or cloud metadata endpoints commonly used to steal IAM credentials and session tokens from AWS, Google Cloud, and Azure. Affected versions (≤ 1.1.13) have been patched in version 1.1.14, which introduces two key fixes: 1. Strict origin validation using the URL API, ensuring exact matches for scheme, hostname, and port. 2. A new SSRF validation module that blocks requests to private IP ranges, loopback addresses, and cloud metadata endpoints (e.g., 169.254.169.254). Developers are advised to upgrade immediately or mitigate risks by avoiding untrusted content in RecursiveUrlLoader or isolating applications in restricted network environments.

Critical LangSmith Vulnerability (CVE-2026-25750) Exposed AI Environments to Token Theft and Account Takeover Researchers at Miggo Security uncovered a severe vulnerability in LangSmith, tracked as CVE-2026-25750, that could enable token theft and full account takeover in enterprise AI environments. LangSmith, a platform for debugging and monitoring large language model (LLM) data, processes billions of daily events, amplifying the potential impact of the flaw. The vulnerability stemmed from an insecure API configuration in LangSmith Studio, where the `baseUrl` parameter used to direct frontend requests to backend APIs was implicitly trusted without domain validation. Attackers could exploit this by tricking authenticated users into visiting a malicious site or a compromised webpage containing a crafted link. The victim’s browser would then silently route API requests and session credentials to an attacker-controlled server, enabling session hijacking within a five-minute window before token expiration. Exploitation did not require traditional phishing; instead, the attack executed in the background via malicious JavaScript, leveraging the victim’s active session. Once compromised, attackers could access AI trace histories, exposing raw execution data, proprietary source code, financial records, or sensitive customer information. They could also steal system prompts critical intellectual property defining AI model behavior or manipulate project settings to disrupt observability workflows. LangChain patched the flaw by enforcing a strict allowed origins policy, requiring domains to be pre-approved in account settings. Unauthorized `baseUrl` requests are now automatically blocked. The vulnerability was fully resolved for LangSmith Cloud customers by December 15, 2025, with no evidence of active exploitation reported. However, self-hosted administrators must upgrade to LangSmith v0.12.71 or Helm chart langsmith-0.12.33 to secure their deployments. The official security advisory was published on January 7, 2026.

Critical ‘LangGrinch’ Vulnerability in LangChain-Core Exposes AI Agent Secrets A recently disclosed high-severity vulnerability, dubbed LangGrinch, affects langchain-core—a foundational library powering AI agents in production environments. The flaw, tracked with a CVSS score of 9.3, stems from an insecure serialization and deserialization process in the library’s helper functions. Attackers can exploit it via prompt injection, tricking AI agents into generating structured outputs containing LangChain’s internal marker key. When improperly escaped during serialization, this data can later be deserialized as a trusted object, enabling malicious actions. The vulnerability resides in langchain-core itself, a core dependency for frameworks and applications across the AI ecosystem. With 847 million total downloads and tens of millions monthly, the library is deeply embedded in modern AI workflows. Exploitation could lead to full environment variable exfiltration, including cloud credentials, database connection strings, vector database secrets, and LLM API keys—potentially escalating to remote code execution under certain conditions. Security researchers at Cyata identified 12 distinct exploit flows, demonstrating how routine agent operations—such as persisting, streaming, or reconstructing structured data—can inadvertently open attack paths. Notably, the flaw lies in the serialization path, not deserialization, expanding the attack surface reachable from a single prompt. Cyata emphasized the risk of the vulnerability residing in the ecosystem’s "plumbing layer," making it particularly dangerous for production systems. Patches are available in langchain-core versions 1.2.5 and 0.3.81, following ethical disclosure to LangChain’s maintainers, who implemented remediation and additional security hardening. The discovery underscores the evolving security challenges of agentic AI, where governance and permission boundaries become critical as systems move into production.

Cybersecurity researchers at Noma Security disclosed a critical vulnerability dubbed AgentSmith in LangChain‘s LangSmith platform, specifically affecting its public Prompt Hub. This flaw, with a CVSS score of 8.8, could allow malicious AI agents to steal sensitive user data, including OpenAI API keys, and manipulate responses from large language models (LLMs). The vulnerability exploited harmful proxy configurations, enabling attackers to gain unauthorized access to victims' OpenAI accounts, potentially downloading sensitive datasets, inferring confidential information, or causing financial losses by exhausting API usage quotas. In advanced attacks, the malicious proxy could alter LLM responses, leading to fraud or incorrect automated decisions. LangChain confirmed the issue and deployed a fix, introducing new safety measures to prevent future exploitation.

LangChain and LangGraph Patch Critical Vulnerabilities Exposing Sensitive Data LangChain and LangGraph, two widely used open-source frameworks for building AI applications, recently addressed three high-severity vulnerabilities that could allow threat actors to exfiltrate sensitive data. With over 60 million combined weekly downloads on the Python Package Index (PyPI), these tools are integral to AI development, powering chatbots, assistants, and multi-step AI workflows. The vulnerabilities included: - CVE-2026-34070 (7.5/10) – A path traversal flaw in LangChain enabling arbitrary file access without validation. - CVE-2025-68664 (9.3/10) – A critical deserialization issue in LangChain leaking API keys and environment secrets. - CVE-2025-67644 (7.3/10) – An SQL injection vulnerability in LangGraph’s SQLite checkpoint implementation, allowing query manipulation. Security researcher Vladimir Tokarev of Cyera noted that these flaws exposed different types of enterprise data, including filesystem files, environment secrets, and conversation histories. Exploitation could lead to unauthorized access to Docker configurations, prompt injection attacks, and exposure of sensitive workflow data. Patches have been released, with fixes available in the following versions: - CVE-2026-34070: LangChain-core ≥1.2.22 - CVE-2025-68664: LangChain-core ≥0.3.81 or ≥1.2.5 - CVE-2025-67644: LangGraph-checkpoint-sqlite ≥3.0.1 Cyera emphasized that these vulnerabilities highlight broader risks in AI infrastructure, particularly in foundational components like LangChain, which serves as a dependency for hundreds of downstream libraries. The flaws could propagate through the AI stack, affecting integrations and wrappers that inherit the vulnerable code. To mitigate risks, developers were advised to audit configurations, avoid enabling `secrets_from_env=True` when deserializing untrusted data, and treat LLM outputs as untrusted input. Additionally, metadata filter keys should be validated before being passed to checkpoint queries to prevent injection attacks.