Recent disclosures have unveiled three critical security vulnerabilities in LangGraph, an open-source framework developed by LangChain for building complex, stateful, and multi-agent AI applications. These flaws, now patched, could have allowed attackers to execute remote code on self-hosted AI agents.
LangGraph is widely utilized for creating sophisticated AI workflows. The identified vulnerabilities are:
- CVE-2025-67644 (CVSS score: 7.3): A SQL injection vulnerability in LangGraph’s SQLite checkpoint implementation, enabling attackers to manipulate SQL queries through metadata filter keys. This flaw affected langgraph-checkpoint-sqlite versions before 3.0.1.
- CVE-2026-28277 (CVSS score: 6.8): An unsafe msgpack deserialization vulnerability in LangGraph, allowing object reconstruction when a checkpoint is loaded by an attacker who can modify checkpoint data. This issue impacted langgraph versions before 1.0.10.
- CVE-2026-27022 (CVSS score: 6.5): A RediSearch Query Injection in @langchain/langgraph-checkpoint-redis, which could be exploited to bypass access controls. This vulnerability affected @langchain/langgraph-checkpoint-redis versions before 1.0.1.
Security researcher Yarden Porat, credited with discovering these flaws, demonstrated that chaining CVE-2025-67644 and CVE-2026-28277 could lead to remote code execution. The attack sequence involves:
- Crafting a malicious msgpack payload designed to execute arbitrary code.
- Exploiting the SQL injection vulnerability to insert a fake checkpoint row into the database query results, with the checkpoint column containing the attacker’s serialized data.
- Triggering the application to deserialize the malicious checkpoint’s BLOB.
- Executing the payload, resulting in remote code execution on the server.
It’s important to note that this exploit chain is applicable to self-hosted deployments using the SQLite or Redis checkpointer with user-controlled filter input. LangChain’s managed platform, LangSmith Deployment, remains unaffected.
LangGraph maintainers have addressed these vulnerabilities in the following versions:
- langgraph-checkpoint-sqlite: version 3.0.1 and later
- langgraph: version 1.0.10 and later
- @langchain/langgraph-checkpoint-redis: version 1.0.1 and later
Users are strongly advised to update to these patched versions to mitigate potential risks.
This incident underscores the critical importance of securing AI frameworks, especially those deployed in self-hosted environments. As AI systems become more integrated into various applications, ensuring their security is paramount to prevent potential exploitation and maintain trust in these technologies.
