Hacker News
LangChain and LangGraph Critical Vulnerabilities Expose Files, Secrets, and Databases Across 52M+ Weekly Downloads
Three CVEs disclosed March 27 by researcher Vladimir Tokarev (Cyera): CVE-2026-34070 (CVSS 7.5, path traversal in prompt-loading), CVE-2025-68664 (CVSS 9.3, unsafe deserialization leaking API keys), and CVE-2025-67644 (CVSS 7.3, SQL injection in LangGraph SQLite checkpoint). With 52M+ combined weekly downloads, the vulnerabilities ripple through hundreds of downstream libraries. Patches available in langchain-core ≥1.2.22 and langgraph-checkpoint-sqlite 3.0.1.
↳ Follow the thread