Langflow CVE-2026-5027 Under Active Exploit Across 7,000 Servers

Three AI agent frameworks that together underpin vast amounts of production workload share a single uncomfortable security pattern: classic application vulnerabilities shipped faster than the security review that should catch them, and state-level actors have now noticed.

Langflow is the acute case. According to VentureBeat, roughly 7,000 Langflow instances are currently exposed on the internet, the majority in North America, and VulnCheck confirmed active exploitation on June 8 when its sensors caught the first in-the-wild hits. The flaw, CVE-2026-5027 (CVSS 8.8), sits in the file-upload endpoint: the filename parameter is written to disk without sanitization, so packing it with path traversal sequences lets an attacker drop a file anywhere on the host, and a cron entry in /etc/cron.d hands over a shell from there. What compounds the damage is that Langflow ships with auto-login enabled in its default configuration, meaning an exposed instance needs no credentials at all. A patch landed April 15 in version 1.9.0; attacks began in June, leaving a nearly two-month window in which every unpatched instance sat open.

LangGraph and LangChain-core widen the surface. LangGraph carries a SQL injection in its SQLite checkpointer (CVE-2025-67644, CVSS 7.3) where user-controlled filter keys are dropped into queries without parameterization, and the chain extends to full remote code execution in self-hosted deployments. LangChain-core has a path traversal in its legacy prompt-loading API (CVE-2026-34070, CVSS 7.5) that reads arbitrary files off disk, credentials included. Neither has confirmed in-the-wild exploitation yet, but public proof-of-concept code for LangGraph is available, and the Langflow campaign shows how quickly that status changes. Patches are specific and available: langgraph-checkpoint-sqlite 3.0.1, langgraph 1.0.10, and langgraph-checkpoint-redis 1.0.2.

The honest caveat is that 7,000 exposed is not 7,000 compromised. The reporting confirms exploitation activity, not the count of successful intrusions or what was actually taken. What the reporting also does not give you is any accounting of credential exfiltration: these frameworks sit on OpenAI API keys, database connections, and CRM tokens, so the downstream impact of a successful hit is significant but currently unquantified. The MuddyWater thread is worth watching closely; the Iranian state-sponsored group already weaponized an earlier Langflow flaw (CVE-2025-34291), which CISA added to its Known Exploited Vulnerabilities catalog in May, making this reportedly the third Langflow CVE to draw active exploitation this year.

Security vendors who build framework-specific detection before the next campaign arrives will find willing buyers. The broader lesson for teams running agent infrastructure in production is more immediate: patch to current versions, audit what credentials these frameworks can reach, and stop treating AI developer tooling as if it sits outside the attack surface.