3 AI agent frameworks let attackers reach your keys and shells via classic bugs

If you run AI agents, you probably optimized for “prompt safety” and model guardrails. The problem is the compromise rarely starts with the model. It starts where the code is easiest to ship and hardest to police: the agent framework you imported to make production go faster.

In a few months, three widely deployed AI agent frameworks turned known, ordinary bug classes into a way through, and Check Point Research, VulnCheck, and Cyera all documented the same outcome: a path to a shell on the box that can access OpenAI keys, database credentials, and CRM tokens. LangGraph’s SQLite checkpointer can chain a SQL injection into full remote code execution, Langflow’s file upload endpoint can be hit by unauthenticated path traversal that leads to RCE, and LangChain-core’s legacy prompt loader can allow arbitrary file reads and, paired with another deserialization issue, secret retrieval off disk.

The scary part for execs is not that the vulnerabilities are “new AI.” The bugs are old: SQL injection, path traversal, and unsafe deserialization. What changed is the environment they now live in. These frameworks store agent state, accept file uploads, load prompt configurations, and often sit close to the credentials that keep enterprise systems running. That means when they’re exposed or misconfigured, attackers do not need to outsmart “intelligence.” They just need to exploit the boring plumbing.

Start with LangGraph. Check Point Research says a trio of vulnerabilities in the checkpointer layer can chain into RCE under the right conditions. CVE-2025-67644, rated CVSS 7.3, is a SQL injection in the SQLite checkpointer. When a deployment self-hosts LangGraph with the SQLite (or Redis) checkpointer and untrusted input reaches the checkpoint history endpoint (for example, get_state_history()), the WHERE clause for checkpoint lookups can be constructed with user-controlled filter keys without parameterization or escaping. The practical result is that an attacker can fabricate rows in the checkpoint table. Then CVE-2026-28277, rated CVSS 6.8, takes the next step: a msgpack checkpoint decoder can rebuild Python objects from stored data, including importing a module and calling a named function with attacker-supplied arguments. If the crafted checkpoint instructs calls like os.system, code executes under the identity of the agent server. Check Point Research also reports CVE-2026-27022, rated CVSS 6.5, reaches the same place through the Redis checkpointer. No confirmed exploitation in the wild was reported for LangGraph yet, though a proof-of-concept is public. Fixes are version bumps: langgraph-checkpoint-sqlite to 3.0.1, langgraph to 1.0.10, and langgraph-checkpoint-redis to 1.0.2.

Then there is Langflow, which is the one already showing active attacker behavior. CVE-2026-5027, rated CVSS 8.8, is a path traversal in the POST /api/v2/files endpoint. The filename is taken from form data and written to disk unsanitized. Attackers can pack traversal sequences into that filename to write files anywhere, including cron job locations such as /etc/cron.d/. Because Langflow ships with auto-login enabled in its default configuration, an exposed instance can be attacked without credentials. VulnCheck’s Caitlin Condon confirmed exploitation on June 9, saying: “Our Canaries observed exploitation of CVE-2026-5027 that successfully leveraged the path traversal to write what appear to be test files on victim systems.” Censys reportedly found roughly 7,000 exposed instances on the internet, most in North America. This is the third Langflow flaw to draw active exploitation this year, after CVE-2025-34291, which the Iranian state-sponsored group MuddyWater weaponized and which CISA added to its Known Exploited Vulnerabilities catalog in May. CVE-2026-5027 was patched in version 1.9.0, released April 15, and VulnCheck added it to its exploited-vulnerabilities list on June 8 once sensors caught the first in-the-wild hits. Attacks started in June, leaving any instance unpatched between those dates exposed for almost two months.

Finally, LangChain-core, the foundation layer under both many internal agent stacks and third-party deployments. Cyera says CVE-2026-34070, rated CVSS 7.5, is a path traversal in a legacy prompt-loading API. load_prompt() reads a file path out of a config dict with no check against traversal sequences or absolute paths, allowing arbitrary file reads. That includes sensitive files on disk such as the.env file holding OPENAI_API_KEY and ANTHROPIC_API_KEY. Cyera paired that with CVE-2025-68664, rated CVSS 9.3, a deserialization flaw that resolves environment secrets through a crafted object. If the attacker can reach both conditions, they can effectively use the loader path to access secrets and then use the unsafe deserialization behavior to resolve and exfiltrate them via the runtime. Fix versions differ: CVE-2026-34070 lands in langchain-core 1.2.22 and 0.3.86, while CVE-2025-68664 lands in 1.2.5 and 0.3.81. Clear both, or the higher-severity path can remain live behind a partially applied patch.

So what makes these incidents slip through? The key point is that this failure does not announce itself as an AI incident. Merritt Baer, CSO at Enkrypt AI and former deputy CISO at AWS, told VentureBeat the risk will feel like traditional security controls failing, not like “AI risk,” describing scenarios where an employee pastes sensitive data into a tool or an attacker finds an unauthenticated MCP server. The same logic applies to these frameworks: the exploit lives in the framework your code imports, so scanners and monitoring tools may not be looking at “framework plumbing” nested three layers down. A WAF might not watch what a msgpack decoder does inside the checkpointer. An EDR might see process calls that look routine because they happen constantly in agent systems. Both tools can be doing their job and still miss the chain.

There is also a governance and defaults problem layered on top of the technical bugs. Baer specifically pointed to “insecure defaults” and said insecure defaults in protocol rollouts show up again and again if authentication and least privilege are not built in from day one. In the Langflow case, auto-login is effectively that default becoming the vulnerability. In the LangGraph and LangChain-core cases, the same pattern shows up as exposed endpoints and unsafe behavior that turns imported libraries into attack surface.

For boards and CISOs, the strategic implication is brutal but manageable: these are not “frontier model” issues. They are production engineering and enterprise hygiene issues occurring at the interface between AI agents and the systems they touch. When AI agent frameworks ship to production faster than they’re secured, attackers get time. And when the patch clock is treated like compliance theater rather than real operational urgency, the window between release and exploitation becomes the thing that decides which team gets breached first.