Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: langchain (2 articles)Clear

LangGraph flaw chain exposes self-hosted AI agents to code execution

Check Point has disclosed three now-patched flaws in LangGraph, the popular LangChain framework for building AI agents, that can be chained for remote code execution on self-hosted servers. The chain combines an SQL injection (CVE-2025-67644) with an unsafe msgpack deserialization bug (CVE-2026-28277): an attacker who can reach the agent's stored-state endpoint plants a malicious checkpoint that runs code when loaded. A compromised LangGraph server exposes everything the agent can touch, including model API keys, customer data, and internal network access. It is only exploitable in self-hosted deployments using the SQLite or Redis checkpointer; LangChain's managed LangSmith platform is not affected.

Check
Identify self-hosted LangGraph deployments using the SQLite or Redis checkpointer, check whether the get_state_history endpoint is exposed without authentication, and confirm the framework version against the patched releases.
Affected
Self-hosted LangGraph servers using the SQLite or Redis checkpointer with user-controlled filter input (CVE-2025-67644, CVE-2026-28277, CVE-2026-27022). Managed LangSmith deployments are not affected.
Fix
Upgrade LangGraph to the patched versions, require authentication on self-hosted servers, avoid long-lived static secrets, segment the network, and treat AI agents as privileged identities with least-privilege access.

Anthropic MCP STDIO design flaw exposes 200,000+ AI servers to RCE - 14 CVEs assigned, Anthropic calls it 'expected behavior' (backfill from April 15)

Backfill from April 15: OX Security disclosed an architectural flaw in the official Model Context Protocol SDKs (Python, TypeScript, Java, Rust) that lets attacker-controlled JSON config trigger arbitrary OS commands via the STDIO transport. Roughly 200,000 publicly reachable MCP servers and 150 million SDK downloads inherit the issue. OX has tied 14 CVEs to the same root cause across LiteLLM (patched), Bisheng (patched), Windsurf (zero-click RCE in Cursor-style IDEs, still reported), Flowise, LangFlow, GPT Researcher, Agent Zero, and DocsGPT. Anthropic declined to patch the protocol, calling the behavior 'expected.'

Check
Audit every MCP server installed in Claude Code, Cursor, and other AI dev tools, remove any whose origin you don't recognize, and treat MCP configs as executable code.
Affected
Any tool or service running an Anthropic-SDK MCP server with STDIO transport, especially when add/configure flow is exposed to user input or marketplaces. Confirmed-affected: LiteLLM, LangChain, LangFlow, Flowise, LettaAI, LangBot, DocsGPT, Bisheng, Windsurf, Cursor IDE workflows, GPT Researcher, plus any private MCP server built on the official SDK without input sanitization.
Fix
Patch downstream tools to fixed versions (LiteLLM, Bisheng, Cursor). Block public internet access to services that host MCP add/configure UIs. Treat all external MCP configuration input as untrusted; never let raw user input reach StdioServerParameters. Run MCP services in sandboxes with no production-secret access. Install MCP servers only from verified sources and pin to specific commits.