Langflow, LangGraph, and LangChain-core all shipped production infrastructure with the same classical AppSec flaws.
Path traversal. SQL injection. Unsafe deserialization.
None of them are zero-days. All of them are patched. And one is already under active exploitation.
Langflow CVE-2026-5027 (CVSS 8.8) lets an unauthenticated attacker write a file anywhere on the server through the file upload endpoint. Auto-login is on by default. One request. That's it.
Censys found 7,000 exposed instances. VulnCheck confirmed exploitation on June 9. The patch shipped April 15. That's two months of open exposure.
LangGraph's SQLite checkpointer chains a SQL injection into full remote code execution through the msgpack decoder. Check Point published a working PoC. No in-the-wild exploitation yet. That clock is ticking.
LangChain-core's prompt loader reads arbitrary files off disk, including your .env with OPENAI_API_KEY and ANTHROPIC_API_KEY.
Here's what should terrify your CISO: your WAF doesn't see these. Your EDR doesn't flag them. The exploit lives inside the framework your code imports, three layers below where your scanners look.
These frameworks hold your database credentials, CRM tokens, and provider keys. One RCE exposes everything the process can reach.
Audit every Langflow, LangGraph, and LangChain deployment tonight. Check your version numbers. Pull exposed instances behind access controls. Rotate any key a vulnerable instance could have read.
This is not an AI risk. It's your traditional security program failing at a new layer.
---
Enterprise AI Impact
0 Comments