Full Report
Cybersecurity researchers have disclosed three security vulnerabilities impacting LangChain and LangGraph that, if successfully exploited, could expose filesystem data, environment secrets, and conversation history. Both LangChain and LangGraph are open-source frameworks that are used to build applications powered by Large Language Models (LLMs). LangGraph is built on the foundations of
Analysis Summary
# Vulnerability: LangChain and LangGraph Data Exfiltration Suite
## CVE Details
- **CVE ID:** CVE-2026-34070 | CVE-2025-68664 | CVE-2025-67644
- **CVSS Score:** 7.5 (High) | 9.3 (Critical) | 7.3 (High)
- **CWE:**
- CVE-2026-34070: CWE-22 (Path Traversal)
- CVE-2025-68664: CWE-502 (Deserialization of Untrusted Data)
- CVE-2025-67644: CWE-89 (SQL Injection)
## Affected Systems
- **Products:** LangChain, LangChain-Core, LangGraph (specifically `langgraph-checkpoint-sqlite`)
- **Versions:**
- LangChain-Core: Versions prior to 0.3.81 and 1.2.22
- LangGraph SQLite Checkpointer: Versions prior to 3.0.1
- **Configurations:** Systems utilizing prompt-loading APIs, applications processing user-inputted data structures as serialized objects, and deployments using SQLite for conversation state/checkpointing.
## Vulnerability Description
Researchers from Cyera disclosed three distinct flaws within the AI orchestration ecosystem:
1. **CVE-2026-34070:** A path traversal flaw in `langchain_core/prompts/loading.py`. Attackers can supply a specially crafted prompt template to the prompt-loading API to bypass validation and read arbitrary files from the server's filesystem.
2. **CVE-2025-68664 (LangGrinch):** A critical deserialization flaw. By passing a specific data structure as input, an attacker can trick the system into interpreting user data as a pre-serialized LangChain object, leading to the leakage of environment secrets and API keys.
3. **CVE-2025-67644:** An SQL injection vulnerability in the LangGraph SQLite checkpoint implementation. Attackers can manipulate metadata filter keys to execute arbitrary SQL queries against the underlying database.
## Exploitation
- **Status:** PoC details available via researcher reports; no widespread "in-the-wild" exploitation confirmed for these specific IDs at the time of the report (though similar AI framework flaws like CVE-2026-33017 are actively exploited).
- **Complexity:** Medium (requires knowledge of LangChain internal object structures or prompt template formats).
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Access to Docker configs, environment secrets, and full conversation histories).
- **Integrity:** Medium (SQL injection allows for manipulation of stored states).
- **Availability:** Low
## Remediation
### Patches
Update to the following versions or higher:
- **langchain-core:** >=1.2.22 or 0.3.81 (depending on branch)
- **langgraph-checkpoint-sqlite:** >=3.0.1
### Workarounds
- Implement strict input validation on all user-provided prompt templates.
- Sanitize metadata filters used in LangGraph checkpointing.
- Apply the principle of least privilege to the environment variables and filesystems where AI agents operate.
## Detection
- **Indicators of Compromise:** Unusual file access patterns (e.g., attempts to access `/etc/passwd` or `.env` files via the prompt API), SQL syntax errors in SQLite logs related to metadata filtering, and unexpected serialization errors in application logs.
- **Detection methods and tools:** Static Analysis Security Testing (SAST) to identify vulnerable LangChain library versions; monitoring for prompt injection attempts that include directory traversal sequences (`../`).
## References
- **Vendor Advisories:**
- hxxps://github[.]com/langchain-ai/langchain/security/advisories/GHSA-qh6h-p6c9-ff54
- hxxps://github[.]com/langchain-ai/langchain/security/advisories/GHSA-c67j-w6g6-q2cm
- hxxps://github[.]com/langchain-ai/langgraph/security/advisories/GHSA-9rwj-6rc7-p77c
- **Researcher Report:** hxxps://www[.]cyera[.]com/research/langdrained-3-paths-to-your-data-through-the-worlds-most-popular-ai-framework