LangGraph Vulnerability Chain Enables Remote Code Execution and Full Server Takeover in Agent Deployments

Check Point Research disclosed a critical vulnerability chain in LangGraph, the open-source AI agent framework developed by LangChain’s creators. All three CVEs are patched and no longer pose an active threat — fixes shipped in langgraph-checkpoint-sqlite 3.0.1, langgraph 1.0.10, and langgraph-checkpoint-redis 1.0.2 prior to public disclosure. The chain could allow unauthenticated attackers to achieve full remote code execution on self-hosted deployments running older versions. The disclosure, published by Check Point Research, highlights how traditional web vulnerabilities become significantly more dangerous when embedded in AI agent systems that manage sensitive data and hold elevated privileges.

The Vulnerability Chain

LangGraph is widely used to build stateful AI agents that manage multi-step processes using large language models. The framework sees approximately 46.5 million monthly downloads and runs across thousands of production environments, including enterprise automation, customer support systems, and internal business applications, according to Cyber Security News.

The attack chain starts in LangGraph’s checkpointing mechanism, which stores and retrieves the execution state of AI agents. Check Point researchers found that the get_state_history() function contains an SQL injection flaw in its filter parameter, allowing attackers to manipulate database queries. On its own, SQL injection is serious but limited. Combined with a second flaw involving unsafe msgpack deserialization, the chain becomes critical: an attacker injects malicious serialized data through the SQL injection, and that data executes during deserialization, granting full remote code execution on the server.

Three CVEs Assigned

Three CVEs track the vulnerabilities:

• CVE-2025-67644: SQLite injection vulnerability in the checkpointer component
• CVE-2026-28277: Remote code execution via msgpack deserialization
• CVE-2026-27022: Redis injection vulnerability in an alternative checkpointer backend

The vulnerability chain primarily affects self-hosted deployments using SQLite or Redis checkpointers with user-controlled input. LangChain’s managed platform, LangSmith, is not impacted.

What Attackers Could Access

If exploited, attackers could gain access to LLM API keys, customer data, conversation histories, and credentials connected to external systems such as CRMs and internal APIs, Check Point researchers wrote. The compromised server could also serve as a pivot point for further attacks on internal networks.

Patched Versions

All vulnerabilities have been patched. Secure versions include langgraph-checkpoint-sqlite 3.0.1 or later, langgraph 1.0.10 or later, and langgraph-checkpoint-redis 1.0.2 or later. Users running self-hosted LangGraph deployments should upgrade immediately.

The Supply Chain Pattern

The disclosure follows a pattern NCT has tracked extensively: traditional vulnerability classes, from SQL injection to deserialization, carry outsized consequences when they exist in AI agent frameworks. Agent systems typically operate with elevated privileges, hold API keys for multiple external services, and maintain persistent access to sensitive data stores. A single compromised agent server can expose an entire organization’s AI infrastructure credentials in one breach.

For teams running LangGraph in production, the immediate action is upgrading. The broader lesson is treating agent framework dependencies with the same supply chain rigor applied to any internet-facing service: pin versions, audit checkpointer configurations, and restrict user-controlled inputs to state management functions.