LangChain LangGraph Security: 2026 CVE Hardening Guide

Three critical vulnerabilities disclosed on March 27, 2026 turned LangChain and LangGraph from trusted enterprise AI frameworks into active attack surfaces. LangGraph security, which had received minimal practitioner attention before this disclosure, became a CISO-level concern overnight for every organization running production AI agents on these libraries. The Hacker News and SecurityWeek both ran coverage within hours, but their news articles stopped at patch version numbers. This guide goes further: it walks through each vulnerability in technical detail, explains the realistic exploitation chain that connects all three, and provides a complete hardening checklist based on what we have seen in production agent deployments.

The March 2026 CVE Trifecta: Three Vulnerabilities, Three Attack Classes

When the LangChain security team published three advisories simultaneously on March 27, 2026, the disclosure caught most organizations mid-deployment. The timing was not accidental: LangGrinch (CVE-2025-68664) had been privately reported in December 2025 by security researcher Yarden Porat at Cyata, and the coordinated release included two additional vulnerabilities discovered during the subsequent code audit.

The three CVEs target different layers of the LangChain and LangGraph ecosystem:

| CVE | Package | Type | CVSS | Patched In | |-----|---------|------|------|------------| | CVE-2026-34070 | langchain-core | Path traversal | 7.5 | 1.2.22 | | CVE-2025-67644 | langgraph-checkpoint-sqlite | SQL injection | 7.3 | 3.0.1 | | CVE-2025-68664 | langchain-core | Serialization injection | 9.3 | 0.3.81 / 1.2.5 |

Each vulnerability is serious on its own. Together, they form an attack chain that can take an attacker from a single malicious prompt to full credential exfiltration and, under the right conditions, arbitrary code execution on the agent host.

Before doing anything else, verify your current installed versions:

pip show langchain-core langgraph-checkpoint-sqlite | grep -E "Name|Version"

If langchain-core is below 1.2.22 or langgraph-checkpoint-sqlite is below 3.0.1, treat your deployment as compromised until patched.

CVE-2026-34070: How Prompt Loaders Become Arbitrary File Read Primitives

The path traversal in CVE-2026-34070 lives in three legacy functions in langchain_core.prompts.loading:

• load_prompt(path)
• load_prompt_from_config(config_dict)
• The .save() method on prompt classes

The flaw is an absence of path validation. These functions accept file paths from deserialized configuration dictionaries. They restrict the file extensions they will read (.txt, .json, .yaml) but never sanitize the path components themselves. An attacker can supply ../../../../etc/passwd.yaml as a filename or use an absolute path to read any file accessible to the process that uses one of the three permitted extensions.

In practice, the files that matter most are not /etc/passwd but rather:

• .env files containing database credentials, LLM API keys, and cloud provider secrets
• config.yaml files for orchestration systems with embedded service account tokens
• Kubernetes secret files that happen to use .yaml extensions
• Docker Compose configuration files with plaintext service passwords

We have seen this pattern in production deployments where agents loaded prompt configurations from user-supplied API payloads. When the application passed those payloads directly to load_prompt_from_config(), any user with API access could enumerate files on the agent host by iterating path traversal sequences until something readable was returned.

The fix in langchain-core 1.2.22 adds strict path validation and formally deprecates these APIs. They will be removed entirely in version 2.0.0. The immediate mitigation is to stop calling these functions entirely. Replace them with explicit prompt construction:

# Vulnerable: never pass user-controlled input to these functions
from langchain_core.prompts.loading import load_prompt
prompt = load_prompt(user_provided_path)  # DO NOT DO THIS

# Safe alternative: construct prompts explicitly
from langchain_core.prompts import ChatPromptTemplate
prompt = ChatPromptTemplate.from_messages([
    ("system", "Your fixed system prompt here"),
    ("human", "{user_input}"),
])

For applications that genuinely need to load prompts from configuration files, define a strict allowlist of permitted paths and validate against it before calling any file-reading function:

import os

ALLOWED_PROMPT_DIR = "/app/prompts"
ALLOWED_EXTENSIONS = {".txt", ".json", ".yaml"}

def safe_load_prompt_path(filename: str) -> str:
    """Validate that a prompt path stays within the allowed directory."""
    full_path = os.path.realpath(os.path.join(ALLOWED_PROMPT_DIR, filename))
    if not full_path.startswith(ALLOWED_PROMPT_DIR):
        raise ValueError(f"Path traversal attempt detected: {filename!r}")
    if os.path.splitext(full_path)[1] not in ALLOWED_EXTENSIONS:
        raise ValueError(f"Extension not permitted: {filename!r}")
    return full_path

Audit your codebase for all uses of these functions with a single grep:

grep -r "load_prompt\|load_prompt_from_config" src/ --include="*.py"

Any result that traces back to user input, API parameters, or LLM output is a live vulnerability until patched.

CVE-2025-67644: SQL Injection in LangGraph's Stateful Agent Memory

LangGraph's checkpoint system is what makes stateful agents possible. Instead of treating each invocation as independent, LangGraph persists the agent's state graph between turns using a local SQLite database, enabling multi-step workflows that span many interactions. This persistence is one of LangGraph's core architectural advantages. It is also the source of CVE-2025-67644.

The SQL injection lives in the _metadata_predicate() function, which constructs the WHERE clause for checkpoint queries. When an application calls SqliteSaver.list() or SqliteSaver.alist() with a filter argument, LangGraph builds the predicate by interpolating filter keys directly into an f-string:

# Simplified version of the vulnerable code pattern (pre-3.0.1)
# The key variable comes from caller-supplied filter dict keys
predicate = f"metadata->>'$.{filter_key}' = ?"

An attacker who controls filter_key can inject arbitrary SQL. A filter key of user_id' = '1' OR '1'='1 produces:

SELECT * FROM checkpoints
WHERE metadata->>'$.user_id' = '1' OR '1'='1' = ?

This bypasses all filters and returns every checkpoint record in the database.

The impact extends beyond filter bypass. The checkpoint database stores agent state, full conversation history, thread identifiers, and any metadata attached to agent runs. In multi-tenant deployments, this vulnerability enables cross-tenant data access. An attacker with access to one tenant's metadata filter parameters can exfiltrate the conversation history of every other tenant. In single-tenant deployments, it exposes all historical agent activity to any user who can influence the filter keys passed to the checkpoint query.

The fix in version 3.0.1 enforces a strict allowlist regex on filter keys: ^[a-zA-Z0-9_.-]+$. Any key that does not match this pattern is rejected before the query executes.

For applications that cannot immediately upgrade, the manual mitigation is to validate filter keys against the same pattern before passing them to LangGraph:

import re

SAFE_KEY_PATTERN = re.compile(r'^[a-zA-Z0-9_.\-]+$')

def validate_filter_keys(filters: dict) -> dict:
    for key in filters:
        if not SAFE_KEY_PATTERN.match(key):
            raise ValueError(f"Unsafe filter key rejected: {key!r}")
    return filters

# Apply before every checkpoint query
results = await checkpointer.alist(config, filter=validate_filter_keys(user_filters))

This vulnerability also surfaces a broader architectural issue. LangGraph checkpoint databases often contain far more sensitive data than their owners realize. If an agent processes HR records, financial transactions, or customer PII, that data flows through checkpoint state. Treat the checkpoint database with the same access controls, encryption requirements, and audit logging you apply to your primary application database.

CVE-2025-68664: Serialization Injection and the Path to Remote Code Execution

The most severe of the three vulnerabilities, CVE-2025-68664, was discovered by Yarden Porat at Cyata and privately reported in December 2025. Its CVSS score of 9.3 reflects what is possible in realistic production conditions, not just theoretical worst cases.

LangChain uses a special key called "lc" in serialized data structures to mark LangChain objects. During deserialization, this key signals that a dictionary should be reconstructed as a LangChain object rather than treated as plain user data. The vulnerability is that dumps() and dumpd() do not escape this key when serializing user-controlled data. If an LLM output contains the "lc" key structure in fields like additional_kwargs or response_metadata, that output will be deserialized as a trusted LangChain object.

The realistic attack path:

The attacker sends a prompt injection payload to an LLM-backed agent (directly, or embedded in a document processed by the agent)

The payload causes the LLM to produce output containing the "lc" marker key in a user-controlled field

The application serializes this output using LangChain's standard dumps() function (for logging, streaming, or state persistence)

Later, when the application deserializes this data, it reconstructs the embedded object as a trusted LangChain component

The attacker-controlled object instantiates a class from LangChain's trusted namespace: langchain-core, langchain, langchain-community, or langchain-aws

Using ChatBedrockConverse from langchain-aws, the deserialized object triggers outbound HTTP requests with environment variables in headers, exfiltrating cloud credentials

Using PromptTemplate with Jinja2 mode enabled, the deserialized object achieves arbitrary Python code execution

Before the March 2026 patch, the secrets_from_env parameter defaulted to True during deserialization, meaning any deserialized object could automatically read environment variables. This made secret exfiltration a near-automatic consequence of successful LangGrinch exploitation.

The patches in langchain-core 0.3.81 and 1.2.5 address this by escaping the "lc" key during serialization of user-controlled data, changing secrets_from_env to default to False, and adding a maxDepth parameter to prevent denial-of-service via deeply nested structures.

After patching, audit all code paths where dumps(), dumpd(), load(), or loads() are called:

grep -r "from langchain_core.load import\|langchain_core.load" src/ --include="*.py"

Verify that LLM outputs are not being serialized and later deserialized in a pipeline that treats them as trusted:

from langchain_core.load import dumps

output = llm.invoke(user_prompt)

# Safe: access the content field directly as plain text
content = output.content

# Potentially unsafe pre-patch: serializing LLM output that may contain injected 'lc' keys
serialized = dumps(output)  # Could embed attacker-controlled LangChain objects

Chaining All Three: From Prompt Injection to Full System Compromise

The most dangerous scenario does not require exploiting each CVE independently. In production deployments, the three vulnerabilities chain naturally into a single attack sequence.

Step 1: Initial access via prompt injection. The attacker embeds a prompt injection payload in a document processed by a RAG-enabled LangGraph agent. The payload instructs the LLM to include the "lc" marker key structure in its response metadata (setting up CVE-2025-68664).

Step 2: Credential extraction via path traversal. The deserialized LangChain object calls load_prompt() with a path pointing to the application's .env file (CVE-2026-34070). This exposes database connection strings, LLM API keys, and cloud provider credentials.

Step 3: Full checkpoint exfiltration via SQL injection. With the database credentials in hand, the attacker queries the LangGraph checkpoint database directly, bypassing metadata filters entirely via SQL injection (CVE-2025-67644) to extract all conversation history across all agent threads and all tenants.

Step 4: Code execution via Jinja2 template instantiation. If the target application uses PromptTemplate with Jinja2 enabled, the deserialized template can execute arbitrary Python, giving the attacker a shell on the agent host.

This chain is not theoretical. Microsoft Security Blog published research in May 2026 documenting similar prompt-injection-to-RCE paths across multiple agent frameworks, confirming that these attack chains are being actively researched and exploited in the wild.

Enterprise Hardening Checklist: 12 Controls for LangChain and LangGraph

Patching the three March 2026 CVEs is the immediate priority. Long-term security requires architectural changes that prevent the next class of similar vulnerabilities. These 12 controls address both.

Control 1: Apply all patches immediately.

pip install "langchain-core>=1.2.22" "langgraph-checkpoint-sqlite>=3.0.1"

Pin minimum versions in requirements.txt or pyproject.toml. Do not rely on unpinned upgrades in production.

Control 2: Remove all uses of legacy prompt loader APIs.

Audit for load_prompt, load_prompt_from_config, and the .save() method on prompt classes. Replace every occurrence with explicit prompt construction. These APIs are deprecated and will be removed in LangChain 2.0.0.

grep -rn "load_prompt\|load_prompt_from_config" . --include="*.py"

Control 3: Validate all file paths against a strict allowlist.

Any path that originates from user input, API parameters, or LLM output must be validated before use. Maintain a set of permitted directories and reject anything outside them.

Control 4: Validate LangGraph metadata filter keys.

Apply regex validation to all metadata filter keys before passing them to list() or alist(). The pattern ^[a-zA-Z0-9_.-]+$ matches the fix applied in version 3.0.1. Any key that does not match must be rejected before it reaches the SQL layer.

Control 5: Confirm secrets_from_env defaults post-upgrade.

Verify that no code in your application passes secrets_from_env=True to LangChain's load() function explicitly. The new default is False, but existing code that overrides this default is still vulnerable.

Control 6: Run agents in isolated, read-only containers.

Containerize LangChain agents with a read-only root filesystem, dedicated write mounts for application data only, non-root user accounts, and no access to the Docker socket. The langchain-sandbox library is officially deprecated for production use. Use Docker directly with explicit resource constraints:

FROM python:3.12-slim
RUN useradd -m -u 1001 agent
USER agent
# Mount application code read-only at build time
# Use explicit volume mounts for writable paths

Control 7: Enforce network egress allowlists.

An agent processing documents or user input should only reach specific endpoints: your LLM API provider, your vector database, and explicitly approved external tools. All other outbound traffic should be blocked at the network layer. This limits the blast radius of SSRF exploitation via CVE-2025-68664 and restricts data exfiltration paths even when deserialization is successful.

Control 8: Treat all LLM output as untrusted data.

LLM output must never flow into functions that execute code, construct SQL queries, or read from the filesystem without explicit validation at that boundary. This is the underlying design principle violated by all three March 2026 CVEs. Apply it uniformly across your entire agent codebase.

Control 9: Audit all serialization pipelines.

Review every location where dumps(), dumpd(), load(), or loads() are called. Confirm that user-controlled data, including LLM outputs, is not being serialized and later deserialized in a pipeline that could allow object injection. Post-patch, these functions are safe for internal LangChain objects but should never be called on data that a user or external system supplied.

Control 10: Access-control and encrypt checkpoint databases.

LangGraph checkpoint databases contain full conversation history and agent state. Apply filesystem permissions so that only the agent service account can read the database file. For deployments where checkpoints contain regulated data (healthcare, financial), apply database-level encryption and treat checkpoint retention as a data governance question.

Control 11: Apply least privilege to agent service accounts.

The agent process should hold only the credentials it needs for the current task. Database users should have SELECT or targeted INSERT/UPDATE access, not schema-level rights. Cloud IAM roles should be scoped to specific resources. File system access should be limited to the working directory.

Control 12: Integrate automated dependency scanning in CI.

Given the rate of CVE disclosure in the LangChain ecosystem, dependency scanning on every build is a baseline requirement, not optional:

pip install pip-audit
pip-audit --requirement requirements.txt --fail-on-vuln

Continuous Security Testing for LangGraph Workflows

Patching and architectural controls address known vulnerabilities. Continuous testing identifies new ones before public disclosure.

Standard web application security testing is insufficient for LangGraph. Agents execute multi-step state machine workflows where security-relevant behavior emerges from sequences of transitions, not individual inputs. An agent that behaves safely on any single step may be exploitable across a three-step interaction sequence. This is why the OWASP Top 10 for Agentic Applications 2026 treats memory poisoning (ASI06) and cascading failures (ASI08) as distinct risk categories from single-turn prompt injection.

Effective security testing for LangGraph deployments includes four components:

Prompt injection regression tests. For every agent workflow, maintain a suite of adversarial prompts covering instruction override, state corruption, and exfiltration attempts. Run these on every deployment as part of your CI pipeline. A test that passed before a LangChain upgrade may fail after it.

Checkpoint isolation verification. In multi-tenant deployments, build explicit test cases that attempt cross-tenant checkpoint access. Pass one tenant's metadata filter parameters in the context of another tenant's session and verify that zero records are returned.

State machine boundary testing. Map all transitions in your LangGraph state machine and test whether the agent can be driven into unintended states via crafted inputs. Pay particular attention to transitions that result in tool calls, file access, or external API requests, since these are the transitions that carry real-world impact.

Dependency scanning on every build. LangChain has a documented history of CVE releases. The three March 2026 disclosures followed a similar pattern to earlier advisories in the package. Automated scanning is the only reliable way to catch unpatched dependencies before they are exploited.

For a structured approach to adversarial testing of agent workflows, our AI agent security testing enterprise guide covers the full testing methodology, including tool abuse, inter-agent communication attacks, and memory poisoning scenarios. For background on how the LangChain ecosystem compares to alternatives from a security architecture perspective, see our LangChain vs CrewAI vs LangGraph comparison.

If your agents execute code or interact with production databases, the AI agent sandboxing guide covers the full isolation architecture in detail.

Conclusion

The three March 2026 LangChain and LangGraph CVEs are a pattern, not an exception. LangChain was designed for rapid agent development, and design choices made under that priority, undocumented legacy APIs, f-string SQL construction, unescaped internal marker keys, produced three serious vulnerabilities that coexisted in production deployments for extended periods before disclosure.

Applying the patches closes the specific CVEs. The architectural work, sandboxing execution, validating LLM outputs as untrusted data, access-controlling checkpoint databases, and enforcing egress allowlists, is what prevents the next class of similar vulnerabilities from having the same impact.

If you have a LangChain or LangGraph deployment in production and want a structured review of your attack surface, contact us for an AI security assessment. We cover prompt loader configurations, checkpoint access patterns, serialization pipelines, and agent privilege levels against a complete hardening checklist derived from production security reviews.

You can also start with our automated AI security scan to identify unpatched dependencies and exposed agent endpoints before a full engagement.

Authoritative references:

• CVE-2026-34070 at NVD
• CVE-2025-67644 GitHub advisory: GHSA-9rwj-6rc7-p77c
• CVE-2025-68664 LangGrinch original disclosure at Cyata
• OWASP Top 10 for Agentic Applications 2026
• LangChain security policy