Threat Advisory

LangGraph Vulnerabilities Lead to Deserialization Exploit

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in LangGraph, an open‑source framework for building multi‑agent AI applications. Affected versions include langgraph‑checkpoint‑sqlite prior to 3.0.1, langgraph prior to 1.0.10, and @langchain/langgraph‑checkpoint‑redis prior to 1.0.1. The flaws span SQL injection, unsafe msgpack deserialization, and RediSearch query injection, which can be chained to achieve remote code execution on self‑hosted deployments. Exploitation allows attackers to manipulate checkpoint data, execute arbitrary code, and bypass access controls, exposing sensitive runtime secrets, compromising data integrity, and potentially granting lateral movement within the enterprise environment.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in LangGraph, an open‑source framework for building multi‑agent AI applications. Affected versions include langgraph‑checkpoint‑sqlite prior to 3.0.1, langgraph prior to 1.0.10, and @langchain/langgraph‑checkpoint‑redis prior to 1.0.1. The flaws span SQL injection, unsafe msgpack deserialization, and RediSearch query injection, which can be chained to achieve remote code execution on self‑hosted deployments. Exploitation allows attackers to manipulate checkpoint data, execute arbitrary code, and bypass access controls, exposing sensitive runtime secrets, compromising data integrity, and potentially granting lateral movement within the enterprise environment.[emaillocker id="1283"]

  • CVE-2025-67644 with a CVSS score of 7.3 – An SQL injection in the SQLite checkpoint implementation allows an attacker who can supply filter keys to inject malicious SQL, retrieve fabricated checkpoint rows, and set up the subsequent deserialization step.
  • CVE-2026-28277 with a CVSS score of 6.8 – An unsafe msgpack deserialization flaw lets a threat actor craft a malicious checkpoint payload that, when loaded, reconstructs objects and executes arbitrary code, assuming control over the checkpoint data.
  • CVE-2026-27022 with a CVSS score of 6.5 – A RediSearch query injection in the Redis checkpoint module can bypass access controls by manipulating search queries, requiring only network access to the Redis instance.

These combined vulnerabilities present a critical risk for any self‑hosted LangGraph deployment, as they enable a full remote code execution chain that can expose confidential AI models and downstream services. Organizations that rely on AI agents for privileged tasks could face data breaches, service disruption, and unauthorized access to internal systems if the flaws are exploited. Prompt attention is required to protect the integrity of AI‑driven workflows.

RECOMMENDATION:

  • We recommend you to update langgraph-checkpoint-sqlite to version 3.0.1.
  • We recommend you to update langgraph to version 1.0.10.
  • We recommend you to update @langchain/langgraph-checkpoint-redis to version 1.0.1.

REFERENCES:

The following reports contain further technical details:
https://thehackernews.com/2026/06/langgraph-flaw-chain-exposes-self.html

[/emaillocker]
crossmenu