LangChain and LangGraph Patch Critical Vulnerabilities Exposing Sensitive Data
LangChain and LangGraph, two widely used open-source frameworks for building AI applications, recently addressed three high-severity vulnerabilities that could allow threat actors to exfiltrate sensitive data. With over 60 million combined weekly downloads on the Python Package Index (PyPI), these tools are integral to AI development, powering chatbots, assistants, and multi-step AI workflows.
The vulnerabilities included:
- CVE-2026-34070 (7.5/10) – A path traversal flaw in LangChain enabling arbitrary file access without validation.
- CVE-2025-68664 (9.3/10) – A critical deserialization issue in LangChain leaking API keys and environment secrets.
- CVE-2025-67644 (7.3/10) – An SQL injection vulnerability in LangGraph’s SQLite checkpoint implementation, allowing query manipulation.
Security researcher Vladimir Tokarev of Cyera noted that these flaws exposed different types of enterprise data, including filesystem files, environment secrets, and conversation histories. Exploitation could lead to unauthorized access to Docker configurations, prompt injection attacks, and exposure of sensitive workflow data.
Patches have been released, with fixes available in the following versions:
- CVE-2026-34070: LangChain-core ≥1.2.22
- CVE-2025-68664: LangChain-core ≥0.3.81 or ≥1.2.5
- CVE-2025-67644: LangGraph-checkpoint-sqlite ≥3.0.1
Cyera emphasized that these vulnerabilities highlight broader risks in AI infrastructure, particularly in foundational components like LangChain, which serves as a dependency for hundreds of downstream libraries. The flaws could propagate through the AI stack, affecting integrations and wrappers that inherit the vulnerable code.
To mitigate risks, developers were advised to audit configurations, avoid enabling secrets_from_env=True when deserializing untrusted data, and treat LLM outputs as untrusted input. Additionally, metadata filter keys should be validated before being passed to checkpoint queries to prevent injection attacks.
LangChain cybersecurity rating report: https://www.rankiteo.com/company/langchain
"id": "LAN1774635883",
"linkid": "langchain",
"type": "Vulnerability",
"date": "1/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'AI/Software Development',
'name': 'LangChain',
'type': 'Open-source framework'},
{'industry': 'AI/Software Development',
'name': 'LangGraph',
'type': 'Open-source framework'}],
'attack_vector': ['Exploitation of unpatched vulnerabilities'],
'data_breach': {'data_exfiltration': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Filesystem files',
'Environment secrets',
'Conversation histories',
'API keys']},
'description': 'LangChain and LangGraph, two widely used open-source '
'frameworks for building AI applications, recently addressed '
'three high-severity vulnerabilities that could allow threat '
'actors to exfiltrate sensitive data. The vulnerabilities '
'included path traversal, deserialization, and SQL injection '
'flaws, exposing filesystem files, environment secrets, and '
'conversation histories.',
'impact': {'data_compromised': ['Filesystem files',
'Environment secrets',
'Conversation histories',
'API keys',
'Docker configurations',
'Prompt injection data',
'Workflow data'],
'systems_affected': ['LangChain', 'LangGraph']},
'lessons_learned': 'These vulnerabilities highlight broader risks in AI '
'infrastructure, particularly in foundational components '
'like LangChain, which serves as a dependency for hundreds '
'of downstream libraries. The flaws could propagate '
'through the AI stack, affecting integrations and wrappers '
'that inherit the vulnerable code.',
'post_incident_analysis': {'corrective_actions': ['Patches released',
'Security best practices '
'recommended'],
'root_causes': ['Lack of input validation',
'Insecure deserialization',
'SQL injection vulnerabilities']},
'recommendations': ['Audit configurations',
'Avoid enabling `secrets_from_env=True` when '
'deserializing untrusted data',
'Treat LLM outputs as untrusted input',
'Validate metadata filter keys before passing to '
'checkpoint queries'],
'references': [{'source': 'Cyera (Vladimir Tokarev)'}],
'response': {'containment_measures': ['Patches released for vulnerabilities'],
'enhanced_monitoring': ['Audit configurations',
'Validate metadata filter keys'],
'remediation_measures': ['Upgrade to LangChain-core ≥1.2.22, '
'≥0.3.81, or ≥1.2.5',
'Upgrade to LangGraph-checkpoint-sqlite '
'≥3.0.1']},
'title': 'LangChain and LangGraph Patch Critical Vulnerabilities Exposing '
'Sensitive Data',
'type': ['Data Exfiltration',
'Path Traversal',
'Deserialization Vulnerability',
'SQL Injection'],
'vulnerability_exploited': ['CVE-2026-34070',
'CVE-2025-68664',
'CVE-2025-67644']}