Three of the most widely deployed AI agent frameworks share critical vulnerabilities that attackers actively exploit. Check Point Research documented SQL injection in LangGraph's SQLite checkpointer that chains to remote code execution. Tenable and VulnCheck identified path traversal bugs in Langflow's file upload endpoint enabling active RCE attacks. LangChain faces similar exposure vectors. Roughly 7,000 Langflow servers are currently under attack.
The vulnerabilities follow a predictable pattern. Developers build powerful frameworks to orchestrate AI agents and language models. They treat ordinary bug classes like SQL injection and path traversal as acceptable tradeoffs. The frameworks then hand attackers direct access to production secrets: OpenAI API keys, database credentials, CRM tokens, and customer data.
LangGraph's checkpointer stores agent state in SQLite without proper input sanitization. A malicious prompt injected through an AI agent triggers SQL injection, escalating to code execution on the host machine. LangChain shares the same architectural weakness. Langflow's file upload handler fails to validate paths, allowing attackers to write arbitrary files and execute code.
The timing matters. These aren't theoretical flaws buried in niche packages. LangGraph and LangChain are part of the LangSmith ecosystem backed by Anthropic. Langflow is a no-code platform for building LLM applications. Enterprise teams deployed these frameworks at scale without waiting for security hardening.
The attack surface expanded because AI agents run continuously in production, often with broad permissions. A bug that would be low-impact in a traditional web app becomes critical when an AI system with database access and API credentials sits exposed. Checkpointing mechanisms designed to persist agent state between runs created an obvious persistence vector attackers immediately exploited.
Organizations running Langflow, LangGraph, or LangChain need immediate