"An SQL injection in LangGraph's function could allow attackers to gain full control via remote code execution of a server by exploiting weaknesses in how the system processes and handles data," Check Point said.
Check Point and researcher Yarden Porat: three disclosed flaws
Cybersecurity researchers disclosed three security flaws in LangGraph — an open-source framework for building stateful, multi-agent AI applications — and all three have been patched. Check Point and security researcher Yarden Porat are credited in the reporting: Porat discovered and reported the vulnerabilities, and Check Point published technical findings that show how the bugs can be combined into a critical chain.
The identified issues, with their CVE identifiers and CVSS scores, are:
- CVE-2025-67644 (CVSS 7.3) — a SQL injection in LangGraph's SQLite checkpoint implementation that allows attackers to manipulate SQL queries through metadata filter keys. This affects langgraph-checkpoint-sqlite versions before 3.0.1.
- CVE-2026-28277 (CVSS 6.8) — an unsafe msgpack deserialization vulnerability in LangGraph that can trigger object reconstruction when a checkpoint is loaded by an attacker who can modify checkpoint data. This affects langgraph versions before 1.0.10.
- CVE-2026-27022 (CVSS 6.5) — a RediSearch Query Injection in @langchain/langgraph-checkpoint-redis that can be used to bypass access controls. This affects @langchain/langgraph-checkpoint-redis versions before 1.0.1.
The exploit chain: get_state_history(), SQL injection and unsafe msgpack deserialization
Check Point and Porat describe a specific chain that can lead to remote code execution (RCE) when two vulnerabilities are combined. The chain is exploitable when a deployment exposes the get_state_history() endpoint and uses the SQLite or Redis checkpointer with user-controlled filter input.
The attack, as laid out in the reporting, follows these steps:
- An attacker crafts a msgpack payload that contains instructions intended to execute arbitrary code.
- The attacker sends a malicious filter parameter to the application that leverages the SQL injection (CVE-2025-67644) to return a fake checkpoint row; the checkpoint column in that row contains attacker-controlled serialized data.
- When the application processes the query results, it deserializes the checkpoint BLOB.
- The attacker exploits the unsafe msgpack deserialization vulnerability (CVE-2026-28277) to execute the payload, achieving remote code execution on the server.
Security researcher Yarden Porat specifically noted that CVE-2025-67644 and CVE-2026-28277 can be chained to achieve RCE.
Affected deployments: self-hosted SQLite and Redis checkpointers; LangSmith unaffected
LangGraph maintainers and Check Point draw a distinction between self-hosted deployments and LangChain's managed offering. Check Point said the chain is "exploitable in self-hosted deployments using the SQLite or Redis checkpointer with user-controlled filter input." LangGraph maintainers emphasized that LangChain's managed platform — LangSmith Deployment — is not affected.
The maintainers described CVE-2026-28277 as a post-exploitation issue: successful exploitation requires the ability to write attacker-controlled checkpoint data and then turn that into code execution in the application runtime. They warned that such an escalation from "write access to checkpoint store" to code execution may "expose runtime secrets or provide access to other systems the runtime can reach." The maintainers also noted that "typical hosted configurations are designed to prevent such access."
Patch, configuration, and architecture recommendations from Check Point and LangGraph
Both Check Point and the LangGraph maintainers pushed standard mitigations and configuration hardening to reduce risk. Users are advised to:
- Apply the latest fixes for each affected package.
- Implement authentication for self-hosted LangGraph servers.
- Avoid long-lived static secrets.
- Enforce network segmentation.
- Treat AI agents as privileged identities and apply the principle of least privilege (PoLP) to limit agents' access footprint.
Those recommendations reflect the dual nature of the problem: a classic vulnerability class (SQL injection, unsafe deserialization) embedded in an AI agent framework that may have broad runtime access and elevated trust.
What this means for technologists, open-source maintainers, and affected enterprises
Technologists and security teams should prioritize patching the affected packages: langgraph-checkpoint-sqlite (update to 3.0.1 or later), langgraph (update to 1.0.10 or later), and @langchain/langgraph-checkpoint-redis (update to 1.0.1 or later). They should also review whether get_state_history() or similar endpoints accept user-controlled metadata filters and add authentication, input validation, and runtime protections where appropriate.
Open-source maintainers and operators of self-hosted environments will need to consider the persistence layer as an attack surface: write access to checkpoint stores can be a meaningful stepping stone in a chained attack. LangGraph maintainers' note that hosted configurations are typically designed to prevent such access underscores the value of deployment controls and separation of duties.
Enterprises and procurement leaders using agentic AI frameworks should insist on fixed version baselines, patch windows for components that touch persistence, and architectural constraints that limit what agent runtimes can reach on the network. Check Point's analysis serves as a reminder that traditional vulnerabilities can carry outsized risk when they live in components viewed as trusted infrastructure.
As the maintainers and researchers have shown, the risk here depends on a chain of conditions — an exposed endpoint, writable checkpoint storage, and the presence of both SQL injection and unsafe deserialization — but when those conditions line up the result can be full server compromise. For teams running self-hosted LangGraph, the immediate, practical next step is straightforward: patch, restrict access to checkpoint stores, and treat agent runtimes as privileged systems.
