A critical vulnerability chain has been identified in LangGraph, an open-source AI agent framework developed by the creators of LangChain. This flaw could enable attackers to gain full control over servers through remote code execution (RCE).
LangGraph is widely utilized for building stateful AI agents capable of managing multi-step processes using large language models (LLMs). With approximately 46.5 million monthly downloads, the framework is deployed across numerous production environments, including enterprise automation, customer support systems, and internal business applications. This extensive adoption amplifies the potential impact of any security vulnerabilities.
Details of the Vulnerability Chain
The vulnerability originates in LangGraph’s checkpointing mechanism, which is responsible for storing and retrieving the execution state of AI agents. Researchers discovered that the get_state_history() function contains an SQL injection flaw within its filter parameter, allowing attackers to manipulate database queries. While SQL injection is a serious issue on its own, the risk escalates when combined with a second flaw involving unsafe msgpack deserialization. By chaining these vulnerabilities, an attacker can inject malicious data into the system, leading to its execution during deserialization and resulting in full remote code execution on the server.
This attack path illustrates how multiple moderate flaws can combine into a severe compromise when they exist within core components of AI frameworks. Three CVEs have been assigned to track these vulnerabilities:
- CVE-2025-67644: SQLite injection vulnerability in the checkpointer component.
- CVE-2026-28277: Remote code execution via msgpack deserialization.
- CVE-2026-27022: Redis injection vulnerability in an alternative checkpointer backend.
The vulnerability chain primarily affects self-hosted deployments that use SQLite or Redis checkpointers with user-controlled input. LangChain’s managed platform, LangSmith, is not impacted. If exploited, attackers can gain access to sensitive assets managed by the AI agent, including LLM API keys, customer data, conversation histories, and credentials connected to external systems such as CRMs and internal APIs. Additionally, the compromised server can serve as a pivot point for further attacks on internal networks, significantly expanding the threat scope.
All vulnerabilities have been patched, and users are strongly advised to upgrade immediately. Secure versions include langgraph-checkpoint-sqlite 3.0.1 or later, langgraph 1.0.10 or later, and langgraph-checkpoint-redis 1.0.2 or later.
This discovery underscores a growing concern in AI security: traditional vulnerabilities like SQL injection can have far more severe consequences when they exist in systems that operate with elevated privileges and manage sensitive data. As AI frameworks become increasingly integrated into critical business processes, ensuring their security is paramount. Organizations must adopt proactive security measures, including regular code audits, input validation, and the implementation of secure coding practices, to mitigate such risks.
