7,000 Langflow servers are under attack. LangGraph and LangChain have the same holes

Three major AI agent frameworks contain critical vulnerabilities that allow attackers to execute arbitrary code and steal sensitive credentials. Check Point Research discovered that LangGraph's SQLite checkpointer suffers from SQL injection flaws that chain to remote code execution. Tenable and VulnCheck identified path traversal bugs in Langflow's file upload system, enabling active exploitation in the wild. LangChain shares the same vulnerability classes across its infrastructure.

The attacks work because these frameworks store API keys, database credentials, and CRM tokens on the same servers running the agent code. When an attacker chains SQL injection or path traversal exploits together, they gain shell access to systems holding the crown jewels of modern AI deployments.

Langflow deployments face immediate danger. At least 7,000 exposed servers running the framework are under active attack right now. Threat actors exploit the path traversal flaw to upload malicious files and execute them, compromising entire infrastructure in minutes.

These are not novel attack vectors. SQL injection and path traversal are decades-old vulnerability classes that security teams should catch during code review. The problem lies in how these frameworks architected their checkpointing and file handling systems. They moved validation logic to the wrong place or skipped it entirely.

LangGraph's issue stems from treating user input as SQL without proper parameterization. Langflow's path traversal flaw allows attackers to write files outside intended directories by manipulating file paths during upload. LangChain suffers from similar architectural oversights.

The breach window extends back months. Organizations using these frameworks may already have compromised credentials. Any AI agent deployed on these platforms should be considered a potential entry point into backend systems.

Patches exist, but adoption lags across the ecosystem. Many teams remain unaware their infrastructure runs vulnerable versions. The frameworks must implement stricter input validation and adopt principle-of-least