All news with #langchain tag

⚠️ OX Security disclosed a systemic "by design" vulnerability in Anthropic's Model Context Protocol (MCP) SDK that permits remote command execution across reference implementations (Python, TypeScript, Java, Rust). Unsafe defaults in MCP's STDIO configuration produced 10 vulnerabilities affecting projects such as LiteLLM, LangChain, and Flowise, impacting over 7,000 public servers and 150 million downloads. Several downstream vendors have issued patches, but Anthropic has declined to change the protocol reference implementation, leaving an ongoing AI supply-chain risk.

🛡️ Microsoft has released the open-source Agent Governance Toolkit to monitor and control AI agents during runtime as organizations move them into production. The toolkit enforces policies aligned with OWASP top risks for agentic systems, such as prompt injection, identity abuse, and tool misuse, while improving visibility across multi-step workflows. It ships as multi-language components and integrates with existing frameworks like LangChain without requiring agent rewrites. The project is in public preview under an MIT license.

🛡️ Cyera researchers warn that insufficient input validation in AI orchestration tools can expose sensitive enterprise data. A newly disclosed path traversal flaw in LangChain (CVE-2026-34070) lets crafted input resolve paths outside intended directories and read arbitrary host files. Cyera analyzed that alongside an earlier unsafe deserialization issue (CVE-2025-68664) and a SQL injection affecting LangGraph checkpointing (CVE-2025-67644), showing how each flaw maps to distinct data exposures. Maintainers have released fixes; organizations should apply patches and adopt allowlists, sandboxing, safe deserialization practices, and parameterized queries immediately.

🚨 Attackers weaponized a critical Langflow remote code execution flaw within hours of disclosure, prompting CISA to add CVE-2026-33017 to its Known Exploited Vulnerabilities catalog. The issue stems from an unauthenticated build_public_tmp API endpoint that accepts workflow data and executes embedded Python code without sandboxing, enabling unauthenticated RCE on versions up to 1.8.2. Langflow released a fix in v1.9.0 and agencies are urged to patch by April 8, 2026.

🔒 Researchers disclosed three vulnerabilities in LangChain and LangGraph that can expose filesystem files, environment secrets, and conversation history. The flaws — a path traversal, insecure deserialization, and an SQL injection — provide independent attack paths enabling exfiltration of Docker configs, API keys, and stored chats. Patches are available for the affected packages and organizations are urged to update immediately and audit prompt templates, deserialization paths, and checkpoint metadata.

🔴 CISA warns that a critical code-injection vulnerability, CVE-2026-33017, in the Langflow AI workflow framework is being actively exploited for remote code execution. The flaw impacts Langflow versions 1.8.1 and earlier and can be triggered with a single crafted HTTP request due to unsandboxed flow execution, allowing attackers to build public flows without authentication. Administrators should upgrade to Langflow 1.9.0, disable or restrict the vulnerable endpoint, rotate keys and secrets, and avoid exposing Langflow directly to the internet. CISA added the issue to its Known Exploited Vulnerabilities list and set an April 8 deadline for agencies covered by BOD 22-01.

⚠️ The Langflow open-source tool contains a critical vulnerability, CVE-2026-33017 (CVSS 9.3), that allows unauthenticated remote code execution via a POST endpoint that accepts attacker-supplied Python in the request payload. The flaw affects all versions up to and including 1.8.1 and is addressed in the development branch (1.9.0.dev8). Exploitation was observed within 20 hours of public disclosure; operators should apply updates, rotate secrets, and restrict access immediately.

🔐 Sysdig reported that threat actors exploited a critical unauthenticated remote code execution vulnerability (CVE-2026-33017) in Langflow within 20 hours of the advisory publication. The flaw, rated CVSS 9.3, allows execution of arbitrary Python via a single HTTP request and requires no credentials. Attackers built functional exploits from the advisory despite no public PoC, scanned broadly, and exfiltrated keys, database credentials and cloud secrets. Sysdig warns organizations must accelerate patching and rethink vulnerability programs.

🛡️ This case study details a high-severity serialization injection vulnerability (CVE-2025-68664, “LangGrinch”) in LangChain's langchain-core package that arises from improper handling of a reserved lc marker during dumps/dumpd operations. The flaw can enable unauthorized secret extraction, unintended class instantiation, or malicious side effects when attacker-controlled dictionaries are deserialized. Microsoft recommends immediate upgrades to patched versions and demonstrates how Defender for Cloud and Defender XDR can identify, remediate, and detect exposed workloads across code, build, and runtime stages. The post also offers practical hunting queries and remediation workflows to accelerate fixes.

⚠️ A critical serialization injection flaw in LangChain Core (CVE-2025-68664, CVSS 9.3) can let attackers inject object structures via unescaped 'lc' keys and steal secrets or influence LLM outputs through prompt injection. Reported by Yarden Porat on December 4, 2025 and dubbed LangGrinch, the bug affects dumps()/dumpd() and improper deserialization paths. LangChain released patches that add an allowed_objects allowlist, disable Jinja2 templates by default, and set secrets_from_env to false; users should upgrade immediately.

🔐 New research by cloud security firm Wiz found verified secret leaks in 65% of the Forbes AI 50, with API keys and access tokens exposed on GitHub. Some credentials were tied to vendors such as Hugging Face, Weights & Biases, and LangChain, potentially granting access to private models, training data, and internal details. Nearly half of Wiz’s disclosure attempts failed or received no response. The findings highlight urgent gaps in secret management and DevSecOps practices.

🔐 This post demonstrates a proof-of-concept for teaching autonomous agents internet safety by integrating real-time threat intelligence. Using LangChain with OpenAI and the Cisco Umbrella API, the example shows how an agent can extract domains and query dispositions to decide whether to connect. The agent returns clear disposition reports and abstains when no domains are present. The approach emphasizes decision-making over hardblocking.

📡 Since its 2020 debut, Cloudflare Radar has evolved into a comprehensive observability platform that aggregates Cloudflare telemetry to illuminate security, performance, and usage trends. Initially centered on Radar Internet Insights, Domain Insights, and IP Insights, the service has grown to include Certificate Transparency metrics, TCP reset/timeouts visibility, post-quantum adoption tracking, and AI-focused crawler analytics. Radar also added routing tools such as route leak and origin hijack detection, real-time BGP views, AS-SET monitoring, and notifications, while improving programmatic access via the Radar API and an MCP server for LLM integration. Popular utilities like the URL Scanner, expanded search and date-range options, and internationalized interfaces reinforce Radar's mission to make the Internet more observable and resilient.

🔍 Amazon CloudWatch is generally available with Generative AI Observability, providing end-to-end telemetry for AI applications and AgentCore-managed agents. It expands monitoring beyond model runtime to include Built-in Tools, Gateways, Memory, and Identity, surfacing latency, token usage, errors, and performance across components. The capability integrates with orchestration frameworks like LangChain, LangGraph, and Strands Agents, and works with existing CloudWatch features and pricing for underlying telemetry.

🧾 AWS has published an open-source Model Context Protocol (MCP) server for Billing and Cost Management, available in the AWS Labs GitHub repository. The server exposes AWS service APIs and a dedicated SQL-based calculation engine to produce reliable, reproducible cost calculations across large volumes of usage data. It integrates with any MCP-compatible AI assistant or agent — including Q Developer CLI, the Kiro IDE, Visual Studio Code, and Claude Desktop — enabling customers to analyze historical spend, find optimization opportunities, and estimate costs for new workloads with minimal configuration.

🔓 UpGuard secured a misconfigured Langflow instance that exposed data for roughly 97,000 insurance customers in Pakistan, including 945 individuals marked as politically exposed persons. The instance was used by Pakistan-based Workcycle Technologies to build AI chatbots for clients such as TPL Insurance and the Federal Board of Revenue. Exposed materials included PII, confidential business documents and credentials; access was removed after notification and UpGuard found no evidence of exploitation.

🔒 UpGuard secured an internet-exposed Langflow instance leaking data on roughly 97,000 Pakistani insurance customers, including 945 individuals flagged as politically exposed persons (PEPs). The instance—used by Pakistan-based consultants Workcycle Technologies to build AI chatbots for clients such as TPL Insurance and the Federal Board of Revenue—contained PII, confidential documents, and plaintext credentials. Access was removed after disclosure; UpGuard found no evidence of active exploitation.