Langflow, LangGraph, and LangChain-core all have critical CVEs.
One is already being exploited. 7,000 instances exposed on the internet right now.
Langflow: CVSS 8.8. Path traversal in file upload. One unauthenticated request = full system takeover. Patch shipped April 15. Exploitation confirmed June 9. Auto-login enabled by default.
LangGraph: SQL injection in the SQLite checkpointer chains to RCE via unsafe msgpack deserialization. 50 million monthly downloads. Proof of concept is public.
LangChain-core: Path traversal in the prompt loader reads your .env file off disk. Your OPENAI_API_KEY. Your ANTHROPIC_API_KEY. Gone.
Same bug class. Different frameworks.
Path traversal. SQL injection. Unsafe deserialization.
Classic AppSec bugs living inside AI infrastructure your scanners were never built to find.
Your WAF sees HTTP at the edge. Your EDR watches the endpoint. Neither sees the msgpack decoder running three layers down in an imported framework. The attack lives in the code your code imports.
Run `pip show langflow langgraph langchain-core` on every production system tonight.
Below the patched versions means exposed.
Pull Langflow behind VPN. Disable auto-login. Rotate every API key a vulnerable instance could have read.
This is not a frontier-model problem. It is plumbing. And it is being exploited right now.
Enterprise AI Impact
0 Comments