Thousands of AI agent frameworks are currently under active cyberattack, exposing a critical blind spot in enterprise security infrastructure. Three of the most widely deployed AI frameworks—LangGraph, Langflow, and LangChain—have been found harbouring severe vulnerabilities that allow attackers to execute remote code and steal sensitive credentials. These aren't exotic AI-specific threats; rather, they're classic application security flaws—SQL injection, path traversal, and unsafe deserialisation—living within cutting-edge infrastructure that security teams haven't yet learnt to properly monitor.
The most alarming case involves Langflow, where CVE-2026-5027 is already being exploited in the wild. This path traversal vulnerability allows unauthenticated attackers to upload malicious files anywhere on the system through a single HTTP request. With approximately 7,000 exposed instances detected globally and auto-login enabled by default, attackers need no credentials whatsoever. VulnCheck confirmed active exploitation beginning in June, yet the patch was released back in April—leaving a two-month window during which thousands of systems sat vulnerable. This follows an earlier Langflow flaw weaponised by Iranian state-sponsored group MuddyWater, which landed on CISA's Known Exploited Vulnerabilities catalogue.
LangGraph presents an equally dangerous chain of vulnerabilities. CVE-2025-67644, a SQL injection flaw in the SQLite checkpointer, allows attackers to write fabricated data directly into the checkpoint table. This chains with CVE-2026-28277, which exploits LangGraph's msgpack decoder to rebuild Python objects and execute arbitrary functions—including os.system—under the agent server's identity. Whilst no in-the-wild exploitation has been confirmed yet, a working proof-of-concept is publicly available. The framework has cleared over 50 million downloads monthly, making the potential attack surface enormous.
LangChain-core, the foundation underlying both frameworks, disclosed CVE-2026-34070, a path traversal vulnerability in its legacy prompt-loading API. Attackers who can influence the file path can read arbitrary files accessible to the process, including .env files containing OpenAI and Anthropic API keys. Paired with a deserialisation flaw, this creates a direct route to credential theft. The challenge for security teams is that traditional security tools—web application firewalls and endpoint detection systems—aren't designed to monitor what happens inside imported frameworks. The WAF doesn't see a msgpack decoder running several layers deep, and the EDR treats the agent server's routine process calls as normal activity.
Security experts emphasise that this represents a fundamental miscategorisation problem. Teams classify these AI frameworks as developer convenience tools, then connect them to databases, CRMs, and provider keys without proper security governance. As one chief security officer noted, when an AI agent triggers a business action based on compromised data, the damage isn't merely a security incident—it's a wrong business decision executed at machine speed. The frameworks themselves did exactly what they were designed to do; the problem is that they became production infrastructure faster than anyone secured them. For organisations running these frameworks, the fix isn't a re-architecture—it's version upgrades and configuration changes that can be implemented immediately. The real risk lies in the gap between when patches ship and when teams actually deploy them, a window currently measured in months rather than days.
Fuente Original: https://venturebeat.com/security/7000-langflow-servers-under-attack-langgraph-langchain-same-holes
Artículos relacionados de LaRebelión:
- Critical NGINX Flaws Allow Remote Code Execution
- AI Finds 10000 Vulnerabilities China Copies US Worries
- Windows Netlogon Flaw Domain Controllers Under Attack
- AI Uncovers 23000 Vulnerabilities in Open Source
- Critical NGINX Flaw Enables Remote Code Execution
Artículo generado mediante LaRebelionBOT
No hay comentarios:
Publicar un comentario