Your AI agent did exactly what it was designed to do. The framework underneath it just handed an attacker a shell on the box that holds your OpenAI key, your database credentials, and your CRM tokens. This is not a hypothetical scenario: in just a few months, three of the most widely deployed AI agent frameworks each turned known, ordinary bug classes into pathways for remote code execution. (source)
The risk to your production infrastructure
Frameworks like LangGraph, Langflow, and LangChain-core have become production infrastructure faster than anyone secured them. They store agent state, manage file uploads, load prompt configurations, and hold the credentials to your databases and internal APIs. Because these tools often sit in a blind spot—neither fully watched by edge traffic scanners nor fully monitored by endpoint process tools—they provide a perfect hiding place for exploits.
The root cause is a classic application security failure: insecure defaults. When you inherit the hygiene of every tool in your chain, you inherit their vulnerabilities too.
Three framework chains you need to patch
Security teams should prioritize these three specific chains immediately:
LangGraph SQL injection to Python shell: The langgraph-checkpoint-sqlite component (used by over 50 million downloads a month) contains CVE-2025-67644. An attacker who controls the filter can write a fabricated row into the checkpoint table, which the msgpack decoder then runs as a command. Update to langgraph-checkpoint-sqlite 3.0.1, langgraph 1.0.10, and langgraph-checkpoint-redis 1.0.2 to close this gap.
Langflow unauthenticated RCE: This is the one already under active attack. CVE-2026-5027 allows a path traversal in the file upload endpoint. Because Langflow often ships with auto-login enabled, an attacker can drop a file into your system without any credentials. Censys identified roughly 7,000 exposed instances. Switch to version 1.9.0 immediately.
LangChain-core prompt loader gap: CVE-2026-34070 allows an attacker to read arbitrary files, including the .env files that hold your ANTHROPIC_API_KEY and OPENAI_API_KEY. To fix this, update to langchain-core 1.2.22 or 0.3.86. Note that you must also clear CVE-2025-68664 by moving to 1.2.5 or 0.3.81.
How to defend your AI supply chain
Patch the three chains above immediately. Audit your dependency tree for all AI framework components. Disable auto-login and file upload endpoints that do not require authentication. Move API keys out of .env files and into managed secret stores. Monitor checkpoint databases and file upload directories for unexpected activity. Read more: Anthropic leak reveals Opus 4.7, Sonnet 4.8 in npm 2.1.88.










