Full Report
Cybersecurity researchers have disclosed details of three now-patched security flaws impacting LangGraph, including a critical vulnerability chain that could result in remote code execution. LangGraph is an open-source framework created by LangChain to build complex, stateful, and multi-agent artificial intelligence (AI) agentic applications. "An SQL injection in LangGraph's function could
Analysis Summary
# Vulnerability: LangGraph Remote Code Execution (RCE) Chain
## CVE Details
- **CVE ID:** CVE-2025-67644, CVE-2026-28277, CVE-2026-27022
- **CVSS Score:** 7.3 (High) / 6.8 (Medium) / 6.5 (Medium)
- **CWE:** SQL Injection (CWE-89), Unsafe Deserialization (CWE-502), Query Injection
## Affected Systems
- **Products:**
- `langgraph-checkpoint-sqlite`
- `langgraph` (Python)
- `@langchain/langgraph-checkpoint-redis` (JavaScript/TypeScript)
- **Versions:**
- `langgraph-checkpoint-sqlite` < 3.0.1
- `langgraph` < 1.0.10
- `@langchain/langgraph-checkpoint-redis` < 1.0.1
- **Configurations:** Self-hosted deployments using SQLite or Redis checkpointers where filter inputs are user-controlled. Specifically, deployments exposing the `get_state_history()` endpoint are at higher risk.
## Vulnerability Description
Researchers identified a critical chain involving three flaws:
1. **CVE-2025-67644:** A SQL injection in the SQLite checkpointer allows an attacker to manipulate queries via metadata filter keys.
2. **CVE-2026-28277:** An unsafe `msgpack` deserialization flaw. While typically a post-exploitation issue, it can be triggered if an attacker can control checkpoint data.
3. **CVE-2026-27022:** A RediSearch query injection allowing for access control bypass in Redis-backed deployments.
The RCE chain occurs when an attacker uses the SQL injection to "poison" the database response, forcing the application to return a malicious serialized BLOB. When the application processes this "fake" checkpoint, the unsafe deserialization flaw (CVE-2026-28277) executes the attacker's embedded payload.
## Exploitation
- **Status:** PoC available (demonstrated by Check Point Research); fixed by vendor.
- **Complexity:** Medium
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Full server control and access to runtime secrets)
- **Integrity:** High (Ability to modify data and application state)
- **Availability:** High (Potential for full system takeover or service disruption)
## Remediation
### Patches
Users should update to the following versions or later:
- `langgraph-checkpoint-sqlite` version 3.0.1
- `langgraph` version 1.0.10
- `@langchain/langgraph-checkpoint-redis` version 1.0.1
### Workarounds
- Implement strict authentication and authorization for all self-hosted LangGraph servers.
- Ensure network segmentation to isolate the AI agent infrastructure.
- Avoid using long-lived static secrets in the environment.
## Detection
- **Indicators of Compromise:** Monitor for unusual SQL syntax or unexpected characters in metadata filter parameters. Watch for unauthorized calls to the `get_state_history()` endpoint.
- **Detection Methods:** Review application logs for `msgpack` deserialization errors or unexpected process executions originating from the AI agent runtime.
## References
- [https://github.com/langchain-ai/langgraph/security/advisories/GHSA-9rwj-6rc7-p77c]
- [https://github.com/langchain-ai/langgraph/security/advisories/GHSA-g48c-2wqr-h844]
- [https://github.com/langchain-ai/langgraphjs/security/advisories/GHSA-5mx2-w598-339m]
- [https://research.checkpoint.com/2026/from-sqli-to-rce-exploiting-langgraphs-checkpointer/]