Check Point researchers have disclosed three patched vulnerabilities in LangGraph, the LangChain open framework for building multi-agent AI applications. According to the researchers, two of them can be combined into an exploit chain that leads to remote code execution (RCE) on self-hosted servers. The vulnerabilities affect checkpoint storage components (checkpointers) for SQLite and Redis. The managed LangSmith platform is reportedly not affected by these issues. Users of self-hosted installations need to immediately update the affected packages.
Discovered vulnerabilities
All three vulnerabilities were discovered by Check Point researcher Yarden Porat and documented in the company’s technical report. Each one has been assigned a separate CVE identifier and confirmed in GitHub Security Advisory notices:
- CVE-2025-67644 (CVSS 7.3) – SQL injection in the SQLite checkpoint implementation. An attacker can manipulate SQL queries via metadata filter keys. Versions of langgraph-checkpoint-sqlite prior to 3.0.1 are affected.
- CVE-2026-28277 (CVSS 6.8) – unsafe msgpack deserialization in LangGraph, allowing object reconstruction to be triggered when loading a checkpoint with modified data. Versions of langgraph prior to 1.0.10 are affected.
- CVE-2026-27022 (CVSS 6.5) – RediSearch query injection in @langchain/langgraph-checkpoint-redis, allowing access control mechanisms to be bypassed. Versions prior to 1.0.1 are affected.
It is worth noting that none of the vulnerabilities on its own reaches a critical level on the CVSS scale. However, it is their combination that creates the most serious threat.
Exploit chain mechanics: from SQL injection to RCE
According to Check Point, CVE-2025-67644 and CVE-2026-28277 can be chained to achieve remote code execution. A required condition is that the application exposes the get_state_history() endpoint, which allows historical checkpoints to be retrieved by metadata.
The attack sequence is as follows:
- The attacker crafts a msgpack payload containing instructions for arbitrary code execution.
- Via SQL injection in filter parameters, the attacker alters the result of the database query, returning a forged checkpoint row whose checkpoint column contains attacker-controlled serialized data.
- The application processes the query result and deserializes the malicious checkpoint BLOB.
- Unsafe deserialization leads to execution of the attacker’s payload on the server.
The key aspect of this chain is that a classic SQL injection becomes the delivery vector for exploiting the deserialization vulnerability. Without the first vulnerability, the second would require direct write access to the checkpoint storage, which would significantly narrow the attack surface.
Developers’ position and threat boundaries
LangGraph maintainers described CVE-2026-28277 as a post-exploitation issue: successful use requires the ability to write attacker-controlled data into the checkpoint storage. In their view, typical managed hosting configurations are designed to prevent such access.
The exploit chain is applicable to self-hosted deployments that use SQLite or Redis as checkpoint storage, provided that user input is passed into filter parameters. The managed LangSmith Deployment platform is reportedly not affected by these vulnerabilities. At the time of disclosure, no evidence of active exploitation in the wild had been identified.
Impact assessment
The highest risk is faced by organizations that have deployed LangGraph on their own infrastructure to build AI agents with access to internal systems. If exploitation is successful, an attacker gains the ability to execute arbitrary code in the agent’s runtime environment, which can lead to compromise of runtime secrets and access to adjacent systems available to the agent.
This case clearly demonstrates how traditional classes of vulnerabilities — SQL injection and unsafe deserialization — become more dangerous in the context of AI agent frameworks. Agents typically have elevated privileges and trust, which makes compromising their execution environment far more destructive than compromising a regular web application.
Mitigation recommendations
- Update affected packages: upgrade langgraph-checkpoint-sqlite to version 3.0.1 or later, langgraph to 1.0.10 or later, and @langchain/langgraph-checkpoint-redis to 1.0.1 or later.
- Implement authentication for self-hosted LangGraph servers – endpoints such as get_state_history() must not be accessible without authorization.
- Eliminate long-lived static secrets from agent runtime environments; use credential rotation.
- Apply network segmentation: isolate AI agent runtime environments from critical internal systems.
- Treat AI agents as privileged identities and apply the principle of least privilege to limit their access.
- Validate user input before passing it into checkpoint filtering parameters – do not rely solely on framework-level protections.
Organizations using LangGraph in self-hosted configurations should prioritize updating all three affected components and auditing the exposure of agent state management endpoints. Even in the absence of confirmed exploitation in real-world conditions, the existence of a detailed technical description of the attack chain from Check Point significantly lowers the bar for potential attackers.
