AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

LangChain, LangGraph Flaws Expose Files, Secrets, Databases in Widely Used AI Frameworks

highnewsLLM-Specific

security

Source: The Hacker NewsMarch 27, 2026

Summary

Security researchers discovered three vulnerabilities in LangChain and LangGraph, widely used open-source frameworks for building AI applications, that could expose sensitive files, environment secrets (like API keys), and conversation histories if exploited. The flaws include a path traversal vulnerability (allows access to files without permission), a deserialization vulnerability (tricks the app into exposing secrets), and an SQL injection vulnerability (lets attackers manipulate database queries). These vulnerabilities affect millions of weekly downloads across enterprise systems.

Solution / Mitigation

The vulnerabilities have been patched in the following versions: CVE-2026-34070 in langchain-core >=1.2.22; CVE-2025-68664 in langchain-core 0.3.81 and 1.2.5; and CVE-2025-67644 in langgraph-checkpoint-sqlite 3.0.1. Users should apply these patches as soon as possible for optimal protection.

Classification

Attack Type

Prompt InjectionData ExtractionSupply Chain

Attack SophisticationModerate

Affected Vendors

LangChainLlamaIndex

Related Issues

high

Anthropic accuses Chinese AI labs of mining Claude as US debates AI chip exports

Similar attackTechCrunch

critical

CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-

Same vendorNVD/CVE Database

Original source: https://thehackernews.com/2026/03/langchain-langgraph-flaws-expose-files.html

First tracked: March 27, 2026 at 08:00 AM

Classified by LLM (prompt v3) · confidence: 92%