Three severe flaws in LangChain and LangGraph expose files, secrets, and conversation histories, with researchers warning the risks can cascade through hundreds of downstream open-source AI libraries and agent stacks.
Critical flaws in LangChain and LangGraph have exposed a growing security risk at the heart of the open-source AI software stack, with the widely used frameworks allowing arbitrary file access, secret leakage, and SQL query manipulation.
The three vulnerabilities—CVE-2026-34070 (path traversal), CVE-2025-68664 (unsafe deserialisation), and CVE-2025-67644 (SQL injection in SQLite checkpoints)—put filesystem files, environment and API secrets, Docker configurations, workflow checkpoint data, and sensitive AI conversation histories at risk.
The story carries ecosystem-wide implications because LangChain and its orchestration layer LangGraph sit deep within the open-source AI dependency web, powering chatbots, assistants, agents, and workflow systems with more than 60 million combined PyPI downloads each week.
Vladimir Tokarev, Security Researcher at Cyera, said, “Each vulnerability exposes a different class of enterprise data: filesystem files, environment secrets, and conversation history.”
Cyera warned the frameworks “do not exist in isolation” but sit “at the center of a massive dependency web that stretches across the AI stack,” meaning the bugs can “ripple outward through every downstream library, every wrapper, every integration that inherits the vulnerable code path.”
Patches are now available through langchain-core 1.2.22, 0.3.81 / 1.2.5, and langgraph-checkpoint-sqlite 3.0.1, but researchers said patching alone is not enough. Developers must audit prompt-loading functions, keep secrets_from_env=False, treat LLM outputs as untrusted input, and validate metadata keys before checkpoint queries.
