LangGraph Vulnerability Chain Enables Full Server Takeover

Check Point Research has disclosed a critical vulnerability chain in LangGraph, the popular AI workflow orchestration framework, that allows attackers to achieve remote code execution on self-hosted deployments. The flaws, tracked as CVE-2025-67644 and CVE-2026-28277, chain SQL injection with unsafe msgpack deserialization to execute arbitrary commands as the application user.

TL;DR

• What happened: SQL injection + unsafe deserialization chain enables unauthenticated RCE
• Who's affected: Self-hosted LangGraph deployments using SQLite or Redis checkpointers
• Severity: Critical—full server compromise possible
• Action required: Upgrade to langgraph ≥ 1.0.10, langgraph-checkpoint-sqlite ≥ 3.0.1

How the Attack Works

The exploit progression detailed by Check Point follows a clear chain:

1. Attacker sends malicious input to the exposed get_state_history() API
2. Input reaches SQLite checkpointer's vulnerable _metadata_predicate() function
3. Unsafe f-string formatting allows SQL injection via UNION SELECT
4. Injected query returns a malicious checkpoint payload
5. Msgpack deserialization reconstructs attacker-controlled Python objects
6. Custom deserialization hooks execute os.system() commands

The vulnerability exists because LangGraph's SQLite checkpointer used f-string formatting to build SQL queries without sanitization. Once an attacker controls query results, the msgpack deserialization layer happily reconstructs any Python object—including those with malicious __reduce__ methods that execute code on instantiation.

The CVEs Involved

CVE-2025-67644 (CVSS 7.3): SQL injection in SQLite checkpointer

• Affects: langgraph-checkpoint-sqlite < 3.0.1
• Fixed: December 10, 2025

CVE-2026-28277: Unsafe msgpack deserialization

• Affects: langgraph < 1.0.10
• Fixed: March 5, 2026

CVE-2026-27022: SQL injection in Redis checkpointer

• Affects: langgraph-checkpoint-redis < 1.0.2
• Fixed: February 20, 2026

The patches were available for months before this disclosure. Organizations running outdated versions should prioritize updates.

What's at Risk

Successful exploitation gives attackers the same privileges as the LangGraph process, typically allowing:

• Access to API keys and credentials stored in environment variables or config
• Lateral movement to connected services (vector databases, LLM providers, internal APIs)
• Data exfiltration from processed documents and conversation histories
• Persistence via modified checkpoints or backdoored workflows

This follows a pattern we've seen across AI platforms—the LiteLLM vulnerabilities disclosed last week similarly chained flaws to achieve unauthenticated RCE, and Langflow's path traversal issue enabled similar server compromise.

Who's Affected

Self-hosted LangGraph deployments using SQLite or Redis checkpointers are vulnerable. The attack requires user-controllable filter input to reach the vulnerable code paths.

Not affected: LangChain's managed platform, which uses PostgreSQL backends with proper parameterized queries.

Patch Now

Update to these minimum versions:

Package	Fixed Version
langgraph	≥ 1.0.10
langgraph-checkpoint-sqlite	≥ 3.0.1
langgraph-checkpoint-redis	≥ 1.0.2

If immediate patching isn't possible, restrict network access to LangGraph endpoints and audit which users can supply filter parameters to checkpoint queries.

The Bigger Picture

AI development frameworks are becoming critical infrastructure. LangGraph, LangChain, LiteLLM, and similar tools sit at the heart of production AI systems, handling sensitive prompts, API credentials, and often customer data. Yet these frameworks frequently lack the security review rigor applied to traditional enterprise software.

The vulnerability pattern here—unsafe string formatting for SQL, pickle/msgpack deserialization without validation—would be caught by basic security tooling in mature codebases. That it survived to production suggests either insufficient security review or pressure to ship features faster than security could keep pace.

For organizations building on AI frameworks: treat these dependencies as critically as you would your database layer. Version pin, monitor for advisories, and assume that any user-controllable input is a potential attack vector. For deeper context on securing AI deployments, our cybersecurity books resource includes several titles covering application security fundamentals.

Frequently Asked Questions

Is my LangGraph deployment exposed to the internet?

Check whether your LangGraph endpoints are accessible beyond your internal network. The get_state_history() API is the primary attack surface. If it's only accessible from trusted services, your exposure is limited but not eliminated.

How do I know if I've been compromised?

Review checkpoint data for anomalies—specifically, look for checkpoints that contain unexpected Python objects or that weren't created through normal workflow execution. Monitor process activity for unexpected outbound connections or command execution.