LangChain Security Vulnerabilities 2026: CVEs, Attack Chains, and What to Patch

LangChain security vulnerabilities in 2026 have moved from theoretical to production-critical: four CVEs patched between December 2025 and March 2026 expose API secrets, cloud credentials, conversation history, and arbitrary filesystem files across a framework that sees more than 60 million combined weekly downloads. The vulnerabilities span the full LangChain stack — the core Python library, LangGraph’s checkpoint backends, and the JavaScript port — and the most severe reaches a CVSS 9.3.

CVE-2025-68664: Serialization Injection and the LangGrinch Chain

The most dangerous flaw, disclosed December 2025 and nicknamed “LangGrinch,” lives in langchain-core’s serialization layer. The dumps() and dumpd() functions used throughout the framework fail to escape user-controlled dictionaries that contain lc keys. LangChain uses the lc key internally to tag serialized objects; when attacker-influenced data arrives with that key structure, the deserializer treats it as a trusted LangChain object rather than raw user input.

The realistic attack path runs through prompt injection. An adversary injects content into an LLM response — through an email body, a RAG-retrieved document, a tool return value — that lands in additional_kwargs or response_metadata. Those fields feed directly into streaming serialization. Once the crafted lc-keyed dict is deserialized in a trusted context, the consequences include:

• Full extraction of environment variables (cloud provider credentials, database URLs, vector database API keys, LLM API keys)
• Arbitrary object instantiation within trusted Python namespaces
• Potential remote code execution via Jinja2 template evaluation

Researcher Yarden Porat at Cyata reported this to LangChain via Huntr on December 4, 2025. Fixed versions: langchain-core ≥0.3.81 or ≥1.2.5. The JavaScript port carries a parallel flaw tracked as CVE-2025-68665 (CVSS 8.6), patched in @langchain/core ≥1.1.8 / ≥0.3.80.

The indirect prompt injection angle is what makes this severe at scale. Any agent that reads external content — emails via GmailToolkit, web pages, database records, file contents — is a potential injection vector. The framework’s own tool integrations become the delivery mechanism. See aisec.blog ↗ for deeper coverage of indirect prompt injection attack chains in LLM agents.

The March 2026 Batch: Path Traversal and SQL Injection

On March 27, 2026, Cyera researcher Vladimir Tokarev disclosed three additional vulnerabilities that, in his words, “each expose a different class of enterprise data: filesystem files, environment secrets, and conversation history.” The trio comprised the path traversal flaw below, the LangGraph SQLite SQL injection below, and the previously covered serialization injection (CVE-2025-68664) re-surfaced as part of the same disclosure.

CVE-2026-34070 (CVSS 7.5) — Path traversal in LangChain’s prompt-loading API

LangChain’s prompt template loaders accept file paths without sufficient validation, allowing an attacker with influence over path parameters to traverse the filesystem and read arbitrary files the application process can access. On a typical agent deployment this includes .env files, SSH keys, TLS certificates, and any secret mounted into the container. Fixed in: langchain-core ≥1.2.22.

CVE-2025-67644 (CVSS 7.3) — SQL injection in LangGraph’s SQLite checkpoint

LangGraph’s langgraph-checkpoint-sqlite backend passes metadata filter values into SQL queries without parameterization. An attacker who controls the metadata fields — which in multi-user applications can arrive from untrusted session state — can execute arbitrary SQLite queries against the checkpoint store. This exposes full conversation history and agent intermediate state for all sessions stored in the same database. Fixed in: langgraph-checkpoint-sqlite ≥3.0.1.

Taken together, the March batch demonstrates a pattern: LangChain’s modular architecture accelerates developer velocity but also means each backend integration inherits its own injection surface.

CVE-2026-27022: RediSearch Query Injection in the Redis Checkpointer

A separate disclosure from Check Point Research, credited to Yarden Porat, found that the JavaScript Redis checkpoint package @langchain/langgraph-checkpoint-redis carries its own injection flaw, tracked as CVE-2026-27022 (CVSS 6.5). The RedisSaver and ShallowRedisSaver classes build RediSearch queries by interpolating user-controlled filter keys and values directly into the query string without escaping RediSearch special syntax characters.

An attacker who controls those filter parameters can inject RediSearch syntax to bypass thread isolation and read checkpoint data belonging to other threads, exposing conversation history and agent intermediate state across tenants that share a Redis instance. This is the same class of failure as the SQLite SQL injection: untrusted input reaching a query language without parameterization. Fixed in: @langchain/langgraph-checkpoint-redis ≥1.0.2. The checkpoint layer now carries confirmed injection CVEs across both the SQLite and Redis backends.

Attack Surface in Production LangChain Agents

The exploitability of these CVEs depends heavily on deployment configuration, but several common patterns maximize exposure:

Streaming with persistent state. Applications that enable LangGraph’s checkpoint backends to preserve conversation history across sessions are directly in scope for CVE-2025-67644 and CVE-2026-27022. Multi-tenant deployments where different users share a checkpoint store are the worst case.

Agent tool integrations reading external content. Any LangChain agent wired to tools that fetch external data — WebBaseLoader, GmailToolkit, SQLDatabaseChain, Slack integrations — is an indirect prompt injection target for CVE-2025-68664. The attacker doesn’t need direct API access; they need to place content where the agent will read it.

secrets_from_env=True (the default before the patch). The pre-patch default enabled secrets extraction from environment variables during deserialization. Deployments that have not upgraded to ≥0.3.81 or ≥1.2.5 and expose agents to external input are leaking credentials to any attacker who can craft a prompt injection payload.

For organizations tracking these exposures across their ML stack, ai-alert.org ↗ maintains an ongoing ML CVE tracker updated as new disclosures land.

What to Patch

Pin versions explicitly in requirements.txt or pyproject.toml rather than relying on transitive resolution. Minimum safe versions as of June 2026:

Package	Minimum safe version	CVE addressed
langchain-core	1.2.22	CVE-2025-68664 1, CVE-2026-34070
@langchain/core (JS)	1.1.8	CVE-2025-68665
langgraph-checkpoint-sqlite	3.0.1	CVE-2025-67644
@langchain/langgraph-checkpoint-redis (JS)	1.0.2	CVE-2026-27022

Beyond version pinning, three operational controls reduce residual risk:

1. Sanitize tool return values before serialization. Strip or reject any dict keys matching lc before they reach dumps()/dumpd(). This is defense-in-depth against undiscovered variants of CVE-2025-68664.
2. Parameterize all checkpoint backend queries. If you run a custom checkpoint implementation, audit every raw query for user-controlled input. The two confirmed injections suggest the pattern was not reviewed systematically at the framework level.
3. Run agents with least-privilege environment variables. Secrets needed by the LLM API call should be scoped to that call. Avoid giving the agent process access to credentials it doesn’t consume; CVE-2025-68664 extracts whatever is in os.environ, so a narrow environment limits the blast radius.

Sources

• LangChain, LangGraph Flaws Expose Files, Secrets, Databases ↗ — The Hacker News, March 2026. Primary disclosure writeup for the Cyera batch (CVE-2026-34070, CVE-2025-67644, and the re-surfaced CVE-2025-68664), with attribution to Vladimir Tokarev at Cyera.

• From SQLi to RCE: Exploiting LangGraph’s Checkpointer ↗ — Check Point Research, 2026. Disclosure of the LangGraph checkpoint injection chain including CVE-2026-27022 (RediSearch query injection in @langchain/langgraph-checkpoint-redis), credited to Yarden Porat.

• Critical LangChain Core Vulnerability Exposes Secrets via Serialization Injection ↗ — The Hacker News, December 2025. Initial disclosure of CVE-2025-68664, CVSS 9.3, including attack path and affected version ranges.

• LangGrinch: CVE-2025-68664 in LangChain Core ↗ — Cyata, December 2025. Original researcher writeup by Yarden Porat detailing the serialization injection mechanism and PoC attack chain.

Footnotes

1. CVE-2025-68664 was first patched in langchain-core ≥0.3.81 (0.3.x line) and ≥1.2.5 (1.x line); ≥1.2.22 is listed here because it is the version that also closes CVE-2026-34070. Readers on the 1.x line should not assume any release below 1.2.22 is fully patched, since 1.2.22 is required for the path-traversal fix. ↩