Multi-Agent System Security: When LangChain Goes Wrong

By Maya, Content Lead at Evvo Labs | 2026-06-11 | Pillar 2: AI & LLM Security

The 60-Second Version

If you build LLM applications on LangChain or LangGraph — the framework that powers an estimated majority of production agentic AI deployments — your stack is exposed to a chain of disclosed critical CVEs that turn prompt injection into remote code execution, environment-variable exfiltration, and database takeover. Within a six-week window in spring 2026, researchers disclosed critical vulnerabilities in LangChain (CVE-2025-68664, CVSS 9.3; CVE-2026-34070, CVSS 7.5), LangGraph (CVE-2025-67644, CVSS 7.3; CVE-2025-64439), Microsoft Semantic Kernel, PraisonAI, and FlowiseAI. Several were chained with indirect prompt injection to escalate from “user typed a prompt” to “attacker controls the host.” The vulnerabilities are patched. The architectural pattern that makes them dangerous — agents trusting peer-agent messages, agents executing LLM-generated code, shared state without provenance — is not.

This post is the technical post-mortem. It covers the disclosed CVEs, the new attack patterns they enable (especially across multi-agent pipelines), and what defenders running agentic AI in production need to do this quarter.

1. Why LangChain Matters More Than It Should

LangChain and its stateful companion LangGraph underpin a disproportionate share of the agentic AI market. When Cyera Research published the “LangDrained” coordinated disclosure on 27 March 2026, it did not affect one application — it affected every agent deployment built on top of these frameworks. That is a concentration of infrastructure risk that, in traditional software, would be measured at the level of an entire OS or container runtime. In agentic AI, it is measured at the level of one Python package.

Microsoft’s own case study of CVE-2025-68664 (the LangChain core serialization flaw known as “LangGrinch”) called it out: “This flaw exposes risks associated with insecure deserialization in agentic ecosystems that rely heavily on structured metadata exchange.” The same advisory recommends the same controls you’d recommend for a compromised CI/CD pipeline — patch immediately, audit exposure, segment trust.

The lesson is that framework risk in agentic AI is now a board-level concern, not a developer concern.

2. The Spring 2026 Disclosure Cluster

The pattern of disclosures is itself the story. Researchers at Cyera, Cyata, Invariant Labs, Trend Micro ZDI, Microsoft, and the Cloud Security Alliance produced a near-continuous stream of critical disclosures against agentic frameworks over a six-week window. The table below is the minimum every team shipping LangChain-based agents must know:

|—|—|—|—|—|

| CVE-2025-68664 “LangGrinch” | langchain-core | 9.3 | Serialization injection → RCE, env-var leak | >=0.3.81 / >=1.2.5 |

| CVE-2026-34070 | langchain-core (prompt loading) | 7.5 | Path traversal | >=1.2.22 |

| CVE-2025-67644 | langgraph-checkpoint-sqlite | 7.3 | SQL injection in checkpoint store | >=3.0.1 |

| CVE-2025-64439 | langgraph-checkpoint | High | RCE via deserialized checkpoint | >=3.0 |

| CVE-2026-41488 | langchain-openai | Med | SSRF (TOCTOU/DNS rebinding) in image-token counting | >=1.1.14 |

| CVE-2026-41481 | langchain-text-splitters | 6.5 | Redirect SSRF in HTML splitter | >=1.1.2 |

| CVE-2026-41264 | FlowiseAI | High | Auth’d RCE via CSV Agent LLM-code execution | >=3.1.0 |

| CVE-2026-25592 / -26030 | Microsoft Semantic Kernel | Critical | Prompt injection → host RCE | Patched (KB) |

The pattern across all of them: prompt injection is no longer just a content-filtering problem. It is the initial access vector for code-execution, file-read, and database-takeover outcomes. CSA’s analysis of the cluster is explicit: “Prompt injection serves as an initial access vector that enables downstream exploitation of higher-severity vulnerabilities in multiple CVEs documented here, rather than functioning solely as a standalone risk.”

This is the same shape as the classic 2010s web vulnerability chain — XSS → SSRF → cloud-metadata exfiltration → credential theft → pivot. In 2026, prompt injection has taken the role of XSS in the new agentic kill chain.

3. Anatomy of CVE-2025-68664 (LangGrinch) — How a Prompt Becomes Code

LangChain uses a custom serialization format to maintain state across components. To distinguish between data and trusted LangChain objects, the framework uses a reserved dictionary key: lc. During deserialization, any dictionary containing lc is interpreted not as user input, but as an already-serialized LangChain object.

The bug: the dumps() and dumpd() functions did not properly escape or neutralize the lc key when processing user-controlled dictionaries. If an attacker can inject a dictionary containing lc into a data stream that is later deserialized, the framework will reconstruct a malicious object — instantiating arbitrary classes reachable from langchain-core and langchain-community.

In configurations using Jinja2 prompt templates, that class-instantiation path reaches the template engine and achieves arbitrary code execution.

In real deployments before patching, this was used to:

• **Extract environment variables** — every API key, database credential, cloud service token, configuration secret.
• **Instantiate unintended classes** during object reconstruction, creating attacker-controlled internal objects the orchestrator treats as trusted.
• **Achieve host-level RCE** in configurations where Jinja2 templates were in use.

The disclosure notes that several companies suffered customer-data exfiltration and cryptomining on their cloud infrastructure before the patch was published. This is not a theoretical CVSS 9.3 — it was a CVSS 9.3 with named victims.

4. The Multi-Agent Multiplier

Single-agent LangChain deployments were bad enough. Multi-agent LangGraph deployments are a fundamentally different security problem.

LangGraph is specifically designed to support stateful multi-agent workflows in which specialised agents collaborate, delegate tasks, and pass information to each other. This architecture creates lateral movement paths that do not exist in single-agent deployments. CSA’s “Living Off the Agent” (LOTA) research note from May 2026 documents the pattern:

1. A compromised low-privilege agent sends a message to a higher-privilege peer.
2. The peer treats the message as a trusted operational directive (because there is no current standard for inter-agent authentication or message integrity verification).
3. The higher-privilege agent executes the embedded instructions — exfiltrating data, escalating permissions, or forwarding credentials to the attacker’s downstream agent.

The OWASP Top 10 for Agentic Applications (2026) elevated this exact pattern to ASI03: Identity & Privilege Abuse and ASI07: Insecure Inter-Agent Communication. The accompanying detection rule (ATR-2026-00074: Cross-Agent Privilege Escalation) defines it as: “Attackers exploit multi-agent architectures by having a compromised or lower-privilege agent forward credentials, assume roles of higher-privilege agents, or bypass orchestrator controls through direct agent-to-agent messaging.”

A real-world example: ServiceNow Now Assist (November 2025). Researchers at AppOmni disclosed a second-order prompt injection in ServiceNow’s Now Assist platform: a low-privileged user could embed instructions in a service case description. When a higher-privilege agent operated on that case, it would export sensitive case files and escalate account permissions — without any compromise of underlying infrastructure. Pure inter-agent trust exploitation.

The generalised cascade pattern, formalised by redteams.ai:

1. Attacker poisons a web page
2. Research Agent fetches the page → compromised
3. Research Agent sends summary to Analysis Agent → propagation
4. Analysis Agent consults Database Agent for data → lateral movement
5. Database Agent returns sensitive data to Analysis Agent
6. Analysis Agent includes sensitive data in final report
7. Report is sent to user with exfiltrated data embedded

The blast radius grows with each agent in the chain because each agent adds its own tools, permissions, and data sources to the compromised operation.

---

5. The 2026 Attack Surface Map

What follows is the operational taxonomy defenders need to map their stack against. Each item is a documented attack class, not speculation.

5.1 Indirect Prompt Injection (IPI) — The Initial Access

The baseline. INJECAGENT, the academic benchmark from ACL 2024, showed that a prompted GPT-4 agent is vulnerable to indirect prompt injection 24% of the time, rising to 47% with a reinforced “hacking prompt”. A March 2026 large-scale public competition organised by UK AISI and US CAISI, run across 13 frontier models with 272,000 attack attempts from 464 participants, found all models were vulnerable, with attack success rates ranging from 0.5% (Claude Opus 4.5) to 8.5% (Gemini 2.5 Pro) — and crucially, 8,648 successful attacks concealed the compromise in the final user-facing response, leaving victims unaware of the manipulation.

5.2 Tool Misuse — The Privilege Boundary

OWASP ASI02 and Microsoft-style tool abuse. The INJECAGENT benchmark also shows that the average detection time for indirect-injection-driven exfiltration is 47 days for RAG-based systems. ToolHijacker (arXiv 2504.19793) demonstrated an optimization-based attack that manipulates the agent’s tool-selection process by injecting malicious tool descriptions into the tool library — making the agent choose the attacker’s tool for legitimate user tasks.

5.3 Memory Poisoning — The Persistence

OWASP ASI06. LangChain’s ConversationBufferMemory and VectorStoreRetrieverMemory store historical context for agent decision continuity. Adversaries manipulate this memory by injecting misleading context into retrieval systems, causing agents to make consistently wrong decisions — approve fraudulent transactions, misclassify security alerts. CSA’s Promptware Kill Chain (January 2026) analysed 36 real-world studies and identified 21 multi-stage attacks that traversed four or more stages, with memory poisoning as the persistence layer.

5.4 Tool Poisoning via MCP — The Supply Chain

The Model Context Protocol (MCP) has become the de facto standard for connecting AI assistants to external tools and data. Tool poisoning attacks — first publicly disclosed by Invariant Labs in April 2025 — embed adversarial instructions inside tool descriptions and metadata that the agent model reads but the human user cannot easily inspect. AdapTools (arXiv 2602.20720) demonstrated a 2.13× improvement in attack success rate with adaptive stealthy tool selection. Log-To-Leak (ICLR 2026 submission) showed that agents can be coerced into calling malicious logging tools to exfiltrate user queries, tool responses, and agent replies — without degrading task performance.

5.5 RCE via LLM-Generated Code — The Crown Jewel

The pattern that converts prompt injection into host compromise. Multiple 2026 CVEs follow the same shape: the agent has a tool that executes LLM-generated code (Python via PALChain, CSV Agent, sandboxed REPL), and the sandbox is missing. CVE-2025-68664 via Jinja2 template instantiation is the most general case. Palo Alto’s Unit 42 “Zealot” research (May 2026) demonstrated a multi-agent system executing a four-stage attack chain — initial SSRF exploitation → BigQuery data exfiltration — from a single initial prompt with no human intervention required between pivots.

5.6 Cascading Failure (OWASP ASI08) — The Multiplier

When multiple LLM agents collaborate, a single injection in one agent’s input stream propagates through the network. The “chain-of-compromise” pattern (Lee & Tiwari 2024) shows adversarial prompts spreading covertly through normal message-passing. hackingBuddyGPT research showed GPT-4-turbo-driven agents could escalate privileges on test systems 33–83% of the time through iterative LLM reasoning — without a pre-built knowledge base of privilege-escalation techniques.

---

6. The Defensive Stack for Production Agentic AI

Defending agentic AI is not a single control. It is a layered system. OWASP, CSA, and Microsoft converge on roughly the same five-layer model.

Layer 1 — Patching and SBOM Hygiene

This is non-negotiable. Every team running LangChain in production must:

• Be on `langchain-core >= 1.2.22` (or the 0.3.x branch >= `0.3.81`).
• Be on `langgraph-checkpoint >= 3.0` and `langgraph-checkpoint-sqlite >= 3.0.1`.
• Be on `langchain-openai >= 1.1.14` and `langchain-text-splitters >= 1.1.2`.
• Maintain a **machine-readable SBOM** for the agentic stack so CVEs propagate into your existing vulnerability management workflow.
• Patch FlowiseAI to `>= 3.1.0` and Microsoft Semantic Kernel to the latest if used.

Layer 2 — Input Validation and Provenance

• Treat every input reaching an LLM as untrusted, **including data retrieved from your own vector store, knowledge base, or tool response**.
• Apply input sanitization at the **boundary of the agent, not at the boundary of the model**. The model cannot be the security boundary.
• Implement a **per-tool allowlist** with the minimum argument set required. Do not give agents `python_eval`, `subprocess`, or unrestricted `requests` access.
• Cryptographically sign or attest the **provenance of inter-agent messages** in multi-agent systems. The CSA LOTA report is explicit: *”The primary protective factor is not architectural topology but message provenance control.”*

Layer 3 — Tool Sandboxing

• Execute LLM-generated code in a **gated sandbox** (gVisor, Firecracker, or a remote ephemeral container) with no network access to internal services.
• Apply **per-tool timeouts, network isolation, and resource budgets**. A tool that can block forever or open arbitrary TCP connections is a tool that becomes a pivot.
• Disable any tool that evaluates LLM-generated code without sandboxing. This is what `CVE-2026-41264` (Flowise CSV Agent) and `CVE-2025-68664` (PALChain + Jinja2) exploited.

Layer 4 — Behavioural Monitoring and Anomaly Detection

• Log every agent tool call, every inter-agent message, and every state-transition in a structured format. The CSA LLM-orchestrated-kill-chain note recommends structured logging for *all* agent tool calls in any agentic workflow that has access to internal systems, databases, or cloud APIs — within 30 to 90 days.
• Apply **anomaly detection** at the tool-call level: spike in API usage, unexpected tool chaining, unusual transaction patterns, sudden tool use by an agent that has never used that tool before. These are the OWASP ASI02 detection signals.
• Cross-reference agent behaviour against **known attack signatures** (e.g., the ATR-2026 rule set from `agentthreatrule.org`) for credential forwarding, role assumption, and privilege escalation requests.

Layer 5 — Human-in-the-Loop for High-Consequence Actions

• Require explicit human confirmation for any action with **irreversible or externally visible effects** — outbound communications, record deletion, access-control list changes, financial transactions, production deployments.
• Adopt the **Singapore PDPC Model AI Governance Framework for Agentic AI** (January 2026) as a baseline: define clear boundaries for agent behaviour, designate accountable parties for agent failures, and embed technical safeguards within agentic systems.

Detection Engineering Bonus

• Implement **latent-space-based detection** (e.g., the ICON framework, arXiv 2602.20708) where the model exhibits *”attention collapse”* on injected tokens. ICON achieves a **0.4% attack success rate with a >50% task-utility gain** versus over-refusal baselines — and crucially, it generalises across model families.

---

7. What This Means for Your Roadmap

If you are shipping agentic AI in 2026, three things should change this quarter:

First, treat framework CVEs as production incidents, not backlog tickets. The “LangDrained” disclosure cluster was a six-week event that turned a dependency update into a security incident. Your MTTR for “critical CVE in a framework with a CVSS > 9.0” needs to be measured in hours, not weeks.

Second, threat-model the agent topology, not just the agent. Map every agent, every tool, every inter-agent message path, and every shared memory store. Treat each surface as a trust boundary requiring explicit access controls. CSA’s LOTA research concludes that “the primary protective factor is not architectural topology but message provenance control” — meaning the right question is not “is the topology decentralised?” but “can I prove which agent sent this message?”

Third, get ahead of the compliance curve. The Singapore PDPC MGAF for Agentic AI, the EU AI Act high-risk obligations (full conformity by 2 August 2026), and the new OWASP Agentic AI Top 10 are converging on the same set of technical requirements: bounded autonomy, human accountability, technical controls, and audit trails. Designing for these now is cheaper than retrofitting in 2027.

---

Closing

The disclosed CVEs are patched. The architectural patterns that made them dangerous — agents trusting peer-agent messages, agents executing LLM-generated code, shared state without provenance, tool descriptions as instruction surfaces — are not bugs. They are properties of how LangChain and LangGraph were designed. Defending agentic AI in 2026 is not about waiting for a magical LLM firewall. It is about applying the same layered security engineering that protected the 2010s web stack — patching, input validation, sandboxing, monitoring, and human-in-the-loop — to the new agentic attack surface.

The frameworks are not going away. The vulnerabilities will keep coming. The teams that build the defensive stack first will own the production agentic market for the rest of the decade.

---

Need a hands-on assessment of your LangChain or LangGraph deployment? Talk to Evvo Labs — we run agentic AI security engagements covering framework hardening, multi-agent trust boundary design, MCP attack-surface mapping, and detection engineering for indirect prompt injection. PromptDome is our runtime shield for indirect prompt injection, inter-agent injection, and tool-description poisoning — deployable in front of any LangChain / LangGraph / MCP stack in under an hour.