Three major AI agent frameworks have critical security holes under active attack

Three of the most widely deployed AI agent frameworks — Langflow, LangGraph, and LangChain — are under active attack, with researchers from Check Point, Tenable, VulnCheck, and Cyera each documenting distinct exploits that leverage the same underlying bug class. The vulnerabilities allow attackers to achieve remote code execution or read sensitive secrets, including API keys and database credentials.

Check Point Research chained a SQL injection in LangGraph’s SQLite checkpointer to full remote code execution. Tenable and VulnCheck tracked a path traversal in Langflow’s file upload endpoint to active, in-the-wild RCE. Cyera documented a path traversal in LangChain-core’s prompt loader that reads secrets off disk. All three attacks exploit a common weakness: the frameworks were not designed with the assumption that imported components constitute security boundaries.

An estimated 7,000 Langflow servers alone are currently under attack. The frameworks, which store agent state, handle file uploads, and hold credentials to databases and internal APIs, have become production infrastructure faster than security controls have adapted. Traditional endpoint and edge tools do not treat imported frameworks as boundaries worthy of guard, leaving a critical blind spot.

These exploits highlight a structural risk in the AI agent ecosystem: as frameworks are rushed into production to power autonomous agents, their default configurations and unpatched dependencies become attractive targets. The attack surface is broad — LangGraph, LangChain, and Langflow each have substantial installed bases, and the same core vulnerability appears in all three.

Organizations deploying these frameworks should immediately assess whether they are running vulnerable versions and apply patches if available. The broader lesson is that any framework handling credentials or file uploads must be treated as a security boundary, not just a library.