Laurent Giraid is an AI technologist who bridges the gap between high-level machine learning innovation and the gritty, often overlooked realities of enterprise infrastructure. With foundational frameworks like LangGraph, LangChain, and Langflow being integrated into production environments at a breakneck pace, Giraid has spent the last year auditing the “plumbing” that allows these agents to interact with the real world. He has watched as the industry prioritized developer speed over basic security hygiene, leading to a landscape where 30-year-old bug classes are suddenly imperiling the most advanced neural networks on the planet. In this discussion, he explores how these vulnerabilities manifest, why they evade standard security suites, and how organizations can protect their business logic from the “blast radius” of a compromised agent.
The central themes of this conversation focus on the critical transition of AI frameworks into production-grade infrastructure and the security debt being inherited in the process. We delve into the mechanics of specific remote code execution chains, such as the SQL injection flaws in LangGraph and the path traversal issues in Langflow. The discussion also highlights the “governance failure” where security teams misclassify these powerful automation tools, allowing them to bypass traditional oversight. Finally, we address the necessity of moving beyond simple technical patching to understanding the broader impact a compromised agent has on a company’s automated decision-making processes.
How do basic SQL injection vulnerabilities in agent memory layers, like those recently found in the LangGraph framework, actually translate into a total system compromise?
The danger in LangGraph isn’t just about leaking a few database rows; it is about how that data is used to rebuild the agent’s brain during a session. When you look at CVE-2025-67644, you see a classic failure where user-controlled filter keys are dropped directly into a SQL query with no parameterization, and while that sounds like an old-school web bug, it’s the first step in a deadly chain. Because this framework has cleared over 50 million downloads a month, the potential for widespread exposure is massive if an attacker can reach an endpoint like get_state_history(). Once they use that SQL injection to write a fabricated row into the checkpoint table, the second vulnerability, CVE-2026-28277, finishes the job by using a msgpack decoder to rebuild Python objects from that forged data. This allows the attacker to call any named function, including os.system, effectively handing them a shell on the box under the identity of the agent server. It is a visceral reminder that if you don’t secure the persistence layer where the agent stores its execution state, you are essentially leaving the keys to the kingdom under a digital doormat.
It seems almost ironic that cutting-edge AI is being brought down by “classic” AppSec flaws like path traversal; why are these frameworks becoming such a significant blind spot for modern infrastructure?
The irony is thick, but it’s a predictable result of what Merritt Baer calls “shipping with insecure defaults,” a mistake we have seen in nearly every major protocol rollout for decades. These frameworks became production infrastructure faster than anyone could build a boundary around them, and because they feel like “AI,” security teams often fail to realize they are just another piece of software that handles file uploads and database credentials. In the case of Langflow’s CVE-2026-5027, which carries a staggering CVSS of 8.8, the path traversal is as basic as it gets—it takes a filename straight from form data without any sanitization. An attacker can simply pack that name with traversal sequences to drop a malicious file, such as a cron job, anywhere on the disk. Because these tools are often deployed with auto-login enabled, a single unauthenticated request is all it takes to earn a shell and start siphoning off CRM tokens or database keys.
When we look at the specific case of Langflow and its active exploitation by groups like MuddyWater, what does the reality of this landscape tell us about the risks of “Shadow AI” within an enterprise?
The exploitation of Langflow is no longer a theoretical exercise; we have seen real-world hits caught by sensors as early as June 9, following a patch that was released back in April. This gap—where instances sit unpatched and exposed on the internet for months—is exactly where state-sponsored groups like the Iranian-linked MuddyWater operate. Censys has identified roughly 7,000 exposed instances of Langflow, mostly in North America, sitting in the open with no authentication required due to those convenient default settings. It tells us that many organizations are running “Shadow AI,” where developers stand up these frameworks for speed without involving security governance, essentially routing around the very protections meant to save them. If a team files a tool under “developer convenience” but then wires it into the company’s internal APIs and secret stores, they have created a high-risk entry point that the official security program doesn’t even know exists.
You’ve mentioned that traditional scanners often fail to see these threats; can you explain why a standard WAF or EDR tool might wave through an attack targeting an internal msgpack decoder or a prompt loader?
Traditional tools are essentially looking at the wrong layer of the stack; a WAF watches HTTP traffic at the edge, while an EDR monitors processes, but neither is designed to understand what’s happening inside a specific imported Python framework. When an attacker exploits CVE-2026-34070 in LangChain-core to read an .env file holding your OpenAI or Anthropic API keys, the WAF doesn’t see anything suspicious because it looks like a legitimate request for a prompt configuration. The internal logic of the load_prompt() function doesn’t check for traversal sequences, so the framework itself becomes the weapon, reading secrets off the disk that it was never meant to touch. Even an EDR might wave the process through because the agent server is making the same types of file calls it makes a thousand times a day. This creates a massive blind spot where the root cause of the breach is an old-school bug living three layers deep in a library that the security team assumed was safe simply because it was “AI plumbing.”
How should security leaders reframe the risk of AI framework vulnerabilities when speaking to a board that might only view these as minor technical glitches?
The conversation with the board has to move away from CVE numbers and toward what Assaf Keren calls the “business blast radius.” Most technical teams can map out how a shell is gained, but the board needs to understand that when an AI engine triggers a major financial or operational adjustment based on poisoned data, it’s not just a security incident—it’s a wrong business decision executed at machine speed. If an RCE on an agent server allows an attacker to access every credential and integration token the process holds, the damage isn’t limited to one application; it extends to every CRM, database, and internal API that the agent was designed to touch. You have to explain that a single break in one framework hands over the keys to the entire data supply chain, and if the agent acts on production systems with those hijacked credentials, the outcome could be a catastrophic error that no one in the company can explain or reverse. It’s about framing the framework not as a “tool,” but as a high-privilege actor that requires the same level of scrutiny as a human administrator.
What is your forecast for the security of AI agent frameworks over the next couple of years?
I expect we are entering a “cleanup decade” where we will be forced to retroactively build authentication and least privilege into these frameworks because we failed to do it on day one. We are already seeing companies like CrowdStrike report that their AI detection and response lines are up more than 250%, which signals that the market is finally realizing that real money and real risk are shifting to this vulnerable “plumbing” layer. My forecast is that we will see a move away from these open, “do-it-all” frameworks toward much more isolated, task-specific agents that operate within strictly defined trust boundaries. Security teams will stop treating these as “survey tools” or “dev experiments” and start auditing them as critical production infrastructure, which will include patching on the day of disclosure rather than waiting for a federal catalog entry. If we don’t close the gap between the speed of deployment and the speed of securing these memory layers and prompt loaders, we will continue to see machine-speed breaches that can dismantle a company’s operational integrity in minutes.
