Back to Intelligence

LangGraph Critical Vulnerability Chain: Unauthenticated Code Execution in AI Agent Frameworks — Detection and Remediation Guide

SA
Security Arsenal Team
June 12, 2026
10 min read

Introduction

Security researchers have disclosed a critical security flaw chain affecting LangGraph, the open-source framework developed by LangChain for building stateful, multi-agent AI applications. This vulnerability enables unauthenticated remote code execution, placing any organization hosting LangGraph-based AI agents at immediate risk of complete server compromise.

The attack chain leverages a SQL injection vulnerability within LangGraph's core functionality, allowing attackers to bypass authentication mechanisms and execute arbitrary commands on the underlying host system. Given the increasing adoption of AI agents in enterprise environments—particularly for automating sensitive operations—this vulnerability represents a high-impact risk requiring urgent remediation.

Defenders must act immediately. Organizations running self-hosted LangGraph instances are exposed to potential ransomware deployment, data exfiltration, and lateral movement within their infrastructure. This is not a theoretical risk; the vulnerability chain has been fully disclosed and patches are now available.

Technical Analysis

Affected Products and Platforms

  • Product: LangGraph (LangChain open-source framework)
  • Platform: All self-hosted deployments on Linux and Windows servers
  • Component: Core API endpoints handling stateful agent operations
  • Affected Versions: All versions prior to the latest security patch released in June 2026

Vulnerability Chain Breakdown

The disclosed vulnerability chain consists of three security flaws, the most critical being an SQL injection vulnerability that enables the full attack chain:

  1. SQL Injection (Primary Vector): An input validation flaw in LangGraph's state management function allows malicious SQL statements to be injected via specially crafted API requests. The function responsible for retrieving or updating agent state fails to properly sanitize user-controlled input.

  2. Authentication Bypass: The SQL injection can be leveraged to bypass authentication mechanisms, allowing unauthenticated attackers to interact with protected endpoints.

  3. Deserialization/Code Execution: Once authenticated, the attacker can exploit unsafe deserialization or command injection in subsequent request handlers to achieve arbitrary code execution.

Exploitation Requirements

  • Network Access: Remote, unauthenticated network access to the LangGraph API endpoint
  • Complexity: Low—exploitation requires minimal technical knowledge
  • Privileges Required: None (unauthenticated)
  • User Interaction: None

Exploitation Status

  • Public Disclosure: Full details have been released by cybersecurity researchers
  • Patches Available: Yes (released by LangChain in June 2026)
  • Proof-of-Concept: Publicly available
  • Active Exploitation: Not yet confirmed in the wild, but expected given the ease of exploitation

Detection & Response

SIGMA Rules

YAML
---
title: Potential SQL Injection Attempt Against LangGraph API
id: 8d4f2a1c-7e3b-4d5f-9a1e-2c3b4d5e6f7a
status: experimental
description: Detects potential SQL injection attempts targeting LangGraph API endpoints, specifically looking for SQL syntax in HTTP request bodies targeting state management functions.
references:
  - https://langchain.com/security/advisory
author: Security Arsenal
date: 2026/06/15
tags:
  - attack.initial_access
  - attack.t1190
  - attack.webshell
  - cve.2026.langgraph
logsource:
  category: webserver
  product: nginx
detection:
  selection_uri:
    cs-uri-query|contains:
      - '/api/state'
      - '/api/agent'
  selection_sqli:
    cs-uri-query|contains:
      - "' OR"
      - "' UNION"
      - "' --"
      - "/* */"
      - "||"
      - "1=1"
    cs-body|contains:
      - "' OR"
      - "' UNION"
      - "' --"
      - "/* */"
  condition: 1 of selection_* and selection_sqli
falsepositives:
  - Legitimate developer testing with SQL-like strings
  - Application error messages containing SQL snippets
level: high
---
title: LangGraph Process Spawning from Web Service Context
id: 9e5g3b2d-8f4c-5e6g-0b2f-3d4e5f6g7h8i
status: experimental
description: Detects suspicious process execution spawned by web service processes hosting LangGraph, which may indicate successful code execution exploitation.
references:
  - https://langchain.com/security/advisory
author: Security Arsenal
date: 2026/06/15
tags:
  - attack.execution
  - attack.t1059
  - attack.t1203
  - cve.2026.langgraph
logsource:
  category: process_creation
  product: linux
detection:
  selection_parent:
    ParentProcessName|contains:
      - 'python'
      - 'node'
      - 'uvicorn'
      - 'gunicorn'
  selection_suspicious:
    Image|endswith:
      - '/bash'
      - '/sh'
      - '/python'
      - '/perl'
      - '/nc'
      - '/curl'
      - '/wget'
    CommandLine|contains:
      - 'reverse'
      - 'bind shell'
      - 'base64 -d'
      - 'chmod +x'
      - 'http://'
  condition: selection_parent and selection_suspicious
falsepositives:
  - Legitimate administrative scripts
  - Developer testing activities
level: high
---
title: Suspicious Outbound Network Connection from LangGraph Host
id: 0f6h4c3e-9g5d-6f7h-1c3g-4e5f6g7h8i9j
status: experimental
description: Detects outbound network connections from LangGraph hosting processes to non-standard ports or known malicious IPs, potentially indicating command and control activity.
references:
  - https://langchain.com/security/advisory
author: Security Arsenal
date: 2026/06/15
tags:
  - attack.command_and_control
  - attack.t1071
  - attack.t1095
  - cve.2026.langgraph
logsource:
  category: network_connection
  product: linux
detection:
  selection_process:
    Image|contains:
      - 'python'
      - 'node'
  selection_destination:
    DestinationPort:
      - 4444
      - 5555
      - 6666
      - 8000
      - 443
    Initiated: true
  filter_legitimate:
    DestinationIpAddress|cidr:
      - '10.0.0.0/8'
      - '172.16.0.0/12'
      - '192.168.0.0/16'
  condition: selection_process and selection_destination and not filter_legitimate
falsepositives:
  - Legitimate API calls to external services
  - Developer testing with external endpoints
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for SQL injection patterns in LangGraph API requests
let SQLiKeywords = dynamic(["' OR", "' UNION", "' --", "/* */", "||", "1=1", ";", "DROP", "INSERT", "UPDATE"]);
let LangGraphEndpoints = dynamic(["/api/state", "/api/agent", "/api/thread"]);
Syslog
| where Facility in ("nginx", "apache", "web")
| extend RequestPath = extract(@'GET\s+(\/[^\s]+)', 1, SyslogMessage)
| extend RequestBody = extract(@'Body:\s*({[^}]+})', 1, SyslogMessage)
| where RequestPath has_any(LangGraphEndpoints)
| where SyslogMessage has_any(SQLiKeywords)
| project TimeGenerated, ComputerIP, RequestPath, RequestBody, SyslogMessage
| order by TimeGenerated desc
;

// Detect suspicious process execution from web service contexts
DeviceProcessEvents
| where InitiatingProcessFileName in ("python", "python3", "node", "uvicorn", "gunicorn")
| where FileName in~ ("bash", "sh", "python", "perl", "nc", "curl", "wget", "powershell")
| where ProcessCommandLine has_any ("reverse", "bind", "base64 -d", "chmod", "http://", "https:// suspicious")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine
| order by Timestamp desc
;

// Identify outbound connections from LangGraph hosts to non-standard ports
DeviceNetworkEvents
| where InitiatingProcessFileName in~ ("python", "python3", "node")
| where RemotePort in (4444, 5555, 6666, 8000, 443) and ActionType == "ConnectionInitiated"
| where not(IPv4Prefix(RemoteIP, 10) or IPv4Prefix(RemoteIP, 172.16) or IPv4Prefix(RemoteIP, 192.168))
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort, RemoteUrl
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for suspicious processes spawned by LangGraph/Python web services
SELECT Pid, PPid, Name, Exe, CommandLine, Username, CreateTime
FROM pslist()
WHERE PPid IN (SELECT Pid FROM pslist() WHERE Name =~ 'python|node|gunicorn|uvicorn')
  AND Name =~ 'bash|sh|nc|curl|wget|perl'
  AND CommandLine =~ 'reverse|bind|base64|chmod|http|https'

-- Search for recent modifications to LangGraph installation directories
SELECT FullPath, Size, Mtime, Mode, Type
FROM glob(globs="/usr/local/lib/python*/dist-packages/langgraph/**/*.py")
WHERE Mtime > now() - 7D

-- Identify established network connections from web service processes
SELECT Pid, Family, Type, LocalAddress, LocalPort, RemoteAddress, RemotePort, State
FROM netstat()
WHERE Pid IN (SELECT Pid FROM pslist() WHERE Name =~ 'python|node|gunicorn|uvicorn')
  AND (RemotePort IN (4444, 5555, 6666, 8000) OR State =~ 'ESTABLISHED')
  AND NOT RemoteAddress =~ '^10\.|^172\.(1[6-9]|2[0-9]|3[0-1])\.|^192\.168\.|^127\.'

-- Check for recent Python packages that may have been installed maliciously
SELECT FullPath, Size, Mtime
FROM glob(globs="/root/.local/lib/python*/site-packages/**")
WHERE Mtime > now() - 7D AND NOT FullPath =~ '__pycache__'

Remediation Script (Bash)

Bash / Shell
#!/bin/bash
# LangGraph Security Hardening and Patch Verification Script
# Run as root or with sudo privileges

set -e

echo "[+] Starting LangGraph security assessment and remediation..."

# Check if LangGraph is installed
if ! pip list 2>/dev/null | grep -qi langgraph; then
    echo "[-] LangGraph not found in current Python environment."
    echo "[!] Checking common system-wide installations..."
    pip3 list 2>/dev/null | grep -i langgraph || {
        echo "[!] LangGraph not detected on this system."
        exit 1
    }
fi

# Get current LangGraph version
CURRENT_VERSION=$(pip show langgraph 2>/dev/null | grep Version | awk '{print $2}') || 
                  CURRENT_VERSION=$(pip3 show langgraph 2>/dev/null | grep Version | awk '{print $2}')
echo "[+] Current LangGraph version: $CURRENT_VERSION"

# Check for vulnerable versions (pseudoversion check - update with actual vulnerable versions)
# The actual patched version should be verified from the official advisory
VULNERABLE_PATTERN="^(0\.0\..*|0\.1\.[0-4]|0\.2\.[0-9])$"
if [[ "$CURRENT_VERSION" =~ $VULNERABLE_PATTERN ]]; then
    echo "[!!!] CRITICAL: Vulnerable LangGraph version detected: $CURRENT_VERSION"
    echo "[+] Attempting to update to the latest secure version..."
    
    # Backup current environment
    pip freeze > /tmp/langgraph_backup_$(date +%Y%m%d_%H%M%S).txt
    echo "[+] Environment packages backed up to /tmp/"
    
    # Update LangGraph
    pip install --upgrade langgraph || pip3 install --upgrade langgraph
    
    NEW_VERSION=$(pip show langgraph 2>/dev/null | grep Version | awk '{print $2}')
    echo "[+] LangGraph updated to: $NEW_VERSION"
else
    echo "[+] LangGraph version appears to be patched or not vulnerable."
fi

# Check for exposed web services
echo "[+] Checking for running LangGraph web services..."
if netstat -tuln 2>/dev/null | grep -qE ':(8000|5000|8123|8080)\s.*LISTEN'; then
    echo "[!] Potential web services detected on common LangGraph ports."
    echo "[!] Verify these services are patched and properly firewalled."
    netstat -tuln 2>/dev/null | grep -E ':(8000|5000|8123|8080)\s.*LISTEN'
fi

# Check for suspicious recent file modifications in Python directories
echo "[+] Scanning for recent modifications in Python site-packages..."
find /usr/local/lib /usr/lib /root/.local -name "*.py" -newermt "7 days ago" -path "*site-packages*" 2>/dev/null | \
    head -20 || echo "[+] No recent suspicious modifications found."

# Verify no unauthorized downloads or scripts
echo "[+] Checking for suspicious downloads in temporary directories..."
find /tmp /var/tmp -maxdepth 1 -type f -newermt "7 days ago" \( -name "*.sh" -o -name "*.py" -o -name "*.pl" \) 2>/dev/null || \
    echo "[+] No suspicious scripts found in temporary directories."

echo "[+] Security assessment complete."
echo "[!!!] If vulnerable version was detected, please restart all LangGraph services immediately."
echo "[+] Review logs for any signs of exploitation over the past 30 days."

Remediation

Immediate Actions Required

  1. Update LangGraph Immediately: All organizations running self-hosted LangGraph must update to the latest patched version released in June 2026. Check the official LangChain GitHub repository and security advisories for the specific version number.

  2. Restart All Services: After applying the patch, restart all LangGraph services and the underlying application server (e.g., Gunicorn, Uvicorn) to ensure the updated code is loaded.

  3. Review Access Logs: Examine web server access logs for the past 30 days for indicators of SQL injection attempts or suspicious API calls targeting LangGraph endpoints. Look for patterns containing SQL syntax (' OR, ' UNION, 1=1) in /api/state or /api/agent endpoints.

  4. Audit System Integrity: Perform a thorough system integrity check on all hosts running LangGraph:

    • Scan for unauthorized files in Python site-packages directories
    • Check for new user accounts or modified sudo privileges
    • Review cron jobs and systemd services for suspicious persistence mechanisms
    • Analyze running processes for unexpected child processes spawned by web services

  5. Implement Network Segmentation: Ensure LangGraph instances are not directly exposed to the internet. Place them behind a Web Application Firewall (WAF) with rules specifically blocking SQL injection attempts.

  6. Rotate Secrets: If exploitation is suspected, immediately rotate all database credentials, API keys, and secrets stored in the environment or configuration files accessible to the LangGraph application.

Official Vendor Resources

Workarounds (If Patch Cannot Be Applied Immediately)

If immediate patching is not possible, implement the following mitigations:

  1. Restrict Access: Block all access to LangGraph API endpoints except from trusted internal IP addresses using network ACLs or firewall rules.

  2. WAF Rules: Deploy strict input validation rules at the WAF level to block SQL injection patterns before they reach the application.

  3. Disable Vulnerable Endpoints: If the specific vulnerable endpoint is known and not critical, temporarily disable it until patching can be completed.

  4. Enhanced Monitoring: Deploy the detection rules provided above and configure 24/7 alerting for any matches.

Timeline for Remediation

  • Critical: Patch within 24 hours for exposed internet-facing instances
  • High: Patch within 72 hours for internal network-facing instances
  • Medium: Patch within 1 week for isolated development environments

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

managed-socmdrsecurity-monitoringthreat-detectionsiemlanggraphsql-injectioncode-execution

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action