LangChain Framework Hit With Critical CVEs

By Abdul Wasay|2 hours ago |
Langchain Framework Hit With Critical Cves

LangChain and LangGraph, two popular open source frameworks used by over 60 million developers weekly, patched three high-severity vulnerabilities that expose files, API keys, and conversation histories. Security researchers said each vulnerability targets a different class of enterprise data, creating multiple attack vectors for threat actors.

The three flaws include CVE-2026-34070, a path traversal bug in LangChain that enables arbitrary file access without validation, CVE-2025-68664, a critical deserialization flaw allowing API key and environment secret exfiltration through prompt injection, and CVE-2025-67644, an SQL injection vulnerability in LangGraph’s SQLite checkpoint implementation enabling query manipulation.

Cyera security researcher Vladimir Tokarev explained that exploiting these flaws allows threat actors to read sensitive files including Docker configurations, exfiltrate secrets through prompt injection, and access conversation histories associated with sensitive workflows. LangChain serves as a foundational framework connecting AI models to data sources and tools for building chatbots and AI assistants, while LangGraph enables creation of AI agents following structured workflows.

The critical concern extends beyond the affected frameworks themselves. LangChain sits at the center of a massive dependency web stretching across the AI stack, with hundreds of libraries wrapping, extending, or depending on it. Researchers warn that vulnerabilities ripple outward through every downstream library, wrapper, and integration inheriting the vulnerable code paths.

Developers can fix CVE-2026-34070 by updating langchain-core to version 1.2.22, CVE-2025-68664 by updating to versions 0.3.81 and 1.2.5, and CVE-2025-67644 by updating langgraph-checkpoint-sqlite to version 3.0.1. Security experts urge auditing any code passing external or user-controlled configurations to load functions, disabling secrets_from_env defaults, and treating all LLM outputs as untrusted input since prompt injection can influence different fields.

Abdul Wasay

Abdul Wasay explores emerging trends across AI, cybersecurity, startups and social media platforms in a way anyone can easily follow.

Latest News

Auto Draft

Pakistan Allocates Rs. 3 Trillion for Defense Budget in FY2026-27

Auto Draft

FBR Sets Record Rs. 15.26 Trillion Tax Collection Target for FY2026-27

Psx Extends Buying Rally As Kse 100 Gains Over 1400 Points

PSX Capitalisation Reaches $59.2 Billion as KSE-100 Gains 18.4% in FY26

Samsung Galaxy AI Features

Samsung Adds New Galaxy AI Features to Galaxy Z Fold7 in June Update

Govt Proposes Salary Increases For Civil Servants In 2026 27 Budget

Cabinet Approves Salary, Pension Hike for Govt Employees

Govt Calls Cabinet Meeting To Approve Fy27 Federal Budget On June 10

Pakistan May End Tax Exemptions for EVs, Bikes and Rickshaws in Budget 2026-27

Metro Bus Fare Raised By 33 Across Punjab

Islamabad Metro Bus Suspended Amid Government Staff Protest

EasyPaisa Outage

EasyPaisa Faces Continuous Service Disruption Days After Telenor Exit Announcement

Budget 2026 To Slash Import Duties And Trade Rules

Federal Govt Tables Rs17,500 Billion Budget for FY2026-27

Pia Flight Escapes Missile Attack At Fujairah Airport Amid Middle East Tensions

PIA Privatisation Gets Legal Backing With New Bill

Meta Adds Football Features To All Apps For World Cup 2026

Meta Adds Football Features to All Apps for World Cup 2026

Pakistan Restricts Indian Content Amid Cyber Drive

Pakistan Restricts Indian Content Amid Cyber Drive

300% Tax Hike for IT Sector

Government Plans 300% Tax Hike for IT Sector in New Budget Proposal

Get Alerts