Three LangChain and LangGraph Flaws Leak Files, Secrets, and Chat History

Three security vulnerabilities in LangChain and LangGraph, disclosed today by Cyera researcher Vladimir Tokarev, expose filesystem data, environment secrets, and conversation history through three independent attack paths. The affected packages were downloaded over 84 million times last week on PyPI. Patches are available now.

What happened

Tokarev published research Thursday under the name "LangDrained," detailing three classic vulnerability classes hiding inside the most popular AI framework family on the planet. These aren't exotic AI-specific attacks. They're path traversal, deserialization injection, and SQL injection: old-school bugs living in new-school infrastructure.

Here's the breakdown:

CVE-2026-34070 (CVSS 7.5, High): A path traversal bug in langchain-core's prompt-loading API. The legacy load_prompt() function reads files from paths in deserialized config dicts without validating against directory traversal or absolute path injection. An attacker who controls prompt configuration can read arbitrary .txt, .json, and .yaml files on the host filesystem. That includes Docker configs, Azure access tokens, Kubernetes manifests, and cloud credentials. The affected functions are undocumented legacy APIs, but they still ship in every langchain-core install.

CVE-2025-68664 (CVSS 9.3, Critical): A serialization injection flaw in LangChain's dumps() and dumpd() functions. These functions don't escape dictionaries containing lc keys, which LangChain uses internally to mark serialized objects. An attacker can inject data structures through user-controlled fields like metadata or response_metadata that get treated as legitimate LangChain objects during deserialization rather than plain user data. This leaks API keys and environment secrets. The attack surface is broad: astream_events(version="v1"), Runnable.astream_log(), RunnableWithMessageHistory, InMemoryVectorStore.load(), and several other common code paths are all vulnerable. Cyata first flagged this vulnerability in December 2025, giving it the name LangGrinch.

CVE-2025-67644 (CVSS 7.3, High): An SQL injection vulnerability in LangGraph's SQLite checkpoint implementation. An attacker can manipulate SQL queries through metadata filter keys and run arbitrary queries against the checkpoint database, which stores conversation histories. If your agent workflows handle sensitive data, that data sits in those checkpoints.