A newly disclosed critical vulnerability chain in LangGraph, the widely used open-source AI agent framework developed by the creators of LangChain. The flaws allow attackers to achieve full remote code execution (RCE) on self-hosted deployments, putting enterprise environments at serious risk.
According to Checkpoint, with approximately 46.5 million monthly downloads, LangGraph ranks among the most widely adopted AI agent platforms globally.
The scale of its adoption makes the severity of this disclosure particularly alarming for organizations running self-hosted deployments in production.
LangGraph RCE Flaw
The vulnerability chain originates in LangGraph’s get_state_history() function, which retrieves historical agent checkpoints from a persistence layer. The checkpointer saves an agent’s execution state at each step, functioning as the AI agent’s memory and sitting deep within the framework’s core execution path making it a high-value target.
The first flaw, CVE-2025-67644 (CVSS 7.3), is an SQL injection vulnerability in the SQLite checkpointer’s _metadata_predicate() function.
The function directly interpolates user-controlled metadata filter keys into SQL query strings using unsafe f-string formatting for example, json_extract(CAST(metadata AS TEXT), '$.{query_key}') without any validation or sanitization. This allows an attacker to inject arbitrary SQL and manipulate which checkpoint data is returned from the database.
The second flaw, CVE-2026-28277, escalates the impact dramatically. It is an unsafe msgpack deserialization vulnerability in LangGraph’s checkpoint loading mechanism.
An attacker who manipulates the database via SQL injection can feed a crafted msgpack payload that reconstructs malicious Python objects during deserialization, ultimately triggering os.system() execution on the underlying server a full server compromise.
A third vulnerability, CVE-2026-27022, covers a similar query injection issue in the Redis checkpointer backend, extending the attack surface beyond SQLite environments.
The full exploit chain flows from the exposed get_state_history() API → sqliteSaver.list() → UNION-injected SQL query → loads_typed("msgpack", checkpoint) → _msgpack_ext_hook(code, bytes) → os.system(command).
A successful exploit exposes far more than a simple foothold. A compromised LangGraph server leaks LLM API keys, full conversation history, CRM credentials, customer PII, and provides a direct pivot point into internal networks essentially everything the AI agent ever touched.
Checkpoint stated that this distinguishes the attack from a simple prompt injection, which affects only a single session. Full server compromise grants persistent, retrospective access to all agent operations.
Affected Versions and Patches
The vulnerability chain is exploitable only in self-hosted deployments using the SQLite or Redis checkpointer with user-controllable filter input. LangChain’s managed cloud platform, which uses PostgreSQL, is not affected. All three CVEs have been patched:
- CVE-2025-67644 → upgrade to
langgraph-checkpoint-sqlite ≥ 3.0.1 - CVE-2026-28277 → upgrade to
langgraph ≥ 1.0.10 - CVE-2026-27022 → upgrade to
langgraph-checkpoint-redis ≥ 1.0.2
Teams running LangGraph in production should patch immediately, enforce proper authentication in front of the server, apply least-privilege access to all agent credentials, and treat a compromised agent runtime with the same urgency as a compromised privileged account.
This research underscores a dangerous pattern emerging across the AI ecosystem: classic vulnerability classes like SQL injection become exponentially more damaging inside AI agent frameworks that carry elevated access, long-lived secrets, and trusted identities.
As AI agents deepen their integration into enterprise infrastructure, securing their persistence and deserialization layers is no longer optional.
No Comment! Be the first one.