Cybersecurity researchers have disclosed details of three now-patched security flaws in LangGraph, an open-source framework created by LangChain for building complex, stateful, and multi-agent AI applications. The most severe vulnerability constitutes a critical chain that could result in remote code execution (RCE) on self-hosted deployments.
What Is LangGraph?
LangGraph is an orchestration framework built on top of LangChain that allows developers to construct multi-agent workflows as directed graphs — where nodes represent AI agents or tools and edges represent the transitions between them. It is widely deployed by organizations building agentic AI systems, particularly those integrating with AWS services and other cloud platforms.
The Vulnerability Chain
Researchers identified three distinct security flaws in LangGraph's self-hosted server components. The critical finding is that these vulnerabilities can be chained together to achieve unauthenticated or low-privilege remote code execution on a self-hosted LangGraph deployment.
The vulnerabilities involve:
- Improper input validation in agent state handling, allowing an attacker to inject malicious data into the graph state
- Insufficient sandboxing of tool execution contexts, which fails to adequately restrict what code can be invoked during agent graph traversal
- Authentication bypass in certain API endpoints exposed by the self-hosted LangGraph server
When combined, an attacker capable of reaching the LangGraph server API — even without valid credentials in some configurations — could trigger the execution of arbitrary code on the underlying host.
Impact
The impact is particularly significant for organizations running self-hosted LangGraph deployments with the LangGraph Platform (formerly LangGraph Server). Managed cloud deployments on LangSmith's hosted infrastructure were not directly exposed to the same attack surface.
Potential consequences of exploitation include:
- Full server compromise — arbitrary code execution as the LangGraph process user
- Data exfiltration — access to agent state, tool credentials, and workflow data stored in the LangGraph persistence layer
- Lateral movement — compromise of cloud credentials or internal services reachable from the LangGraph host
- Agent poisoning — modification of persistent graph state to inject malicious behavior into future agent runs
Affected Versions
All LangGraph self-hosted server versions prior to the patches released in June 2026 are affected. Organizations using the LangChain-hosted LangSmith platform should verify their deployment type and patch status with LangChain directly.
Patches and Remediation
LangChain has released patches addressing all three vulnerabilities. Organizations should:
- Update LangGraph to the latest patched version immediately
- Restrict network access to the LangGraph server API — it should not be exposed to untrusted networks
- Rotate credentials for any services accessible from the LangGraph deployment (AWS IAM, database connections, API keys stored in tool configurations)
- Audit agent state logs for anomalous graph traversal patterns that may indicate prior exploitation
- Enable authentication on all LangGraph server API endpoints — unauthenticated API access should be disabled in production
# Update LangGraph via pip
pip install --upgrade langgraph langgraph-sdk
# Check installed version
pip show langgraph | grep VersionBroader Implications for AI Infrastructure Security
This disclosure reinforces a trend observed throughout 2026: AI agent frameworks are becoming high-value attack targets. Unlike traditional application vulnerabilities, flaws in AI orchestration frameworks can have cascading effects — a single compromise can expose all connected tools, cloud resources, and data sources that the agent stack has access to.
The LangGraph findings follow similar RCE disclosures in LangFlow (CVE-2026-33017), PraisonAI, and AI agent SDKs throughout the year. As organizations accelerate AI agent adoption, securing the infrastructure that hosts them must receive the same scrutiny applied to production web applications.