AI Security

LangGraph Flaw Chain Enables RCE in Self‑Hosted AI Agents

JutsuJutsu3 min read
LangGraph security advisory

Three now-patched vulnerabilities in LangGraph can be chained to achieve remote code execution in self-hosted environments. The research, published by Check Point, outlines how a classic SQL injection paired with unsafe deserialization turns an AI agent framework into a foothold for code execution. LangChain’s managed platform (LangSmith Deployment) is not affected.

LangGraph is an open-source framework from LangChain for building complex, stateful, multi-agent AI applications.

What was found

  • CVE-2025-67644 (CVSS 7.3) – SQL injection in LangGraph’s SQLite checkpoint implementation lets attackers manipulate SQL via metadata filter keys. Affects langgraph-checkpoint-sqlite versions before 3.0.1.
  • CVE-2026-28277 (CVSS 6.8) – Unsafe msgpack deserialization that can reconstruct objects when a checkpoint is loaded by an attacker who can modify checkpoint data. Affects langgraph versions before 1.0.10.
  • CVE-2026-27022 (CVSS 6.5) – RediSearch query injection in @langchain/langgraph-checkpoint-redis that can bypass access controls. Affects versions before 1.0.1.

Check Point notes the chain is exploitable in self-hosted deployments that use the SQLite or Redis checkpointer with user-controlled filter input. LangChain’s managed platform (LangSmith Deployment) is not affected.

How the chain reaches RCE

The path to code execution relies on the application exposing the get_state_history() endpoint, which lets an attacker retrieve historical checkpoints by metadata. From there:

  • Prepare a msgpack payload that contains instructions to execute arbitrary code.
  • Send a malicious filter parameter that abuses the SQL injection to return a fake checkpoint row in the query results, with the checkpoint column holding attacker-controlled serialized data.
  • When the application processes the results, it deserializes the malicious checkpoint BLOB.
  • Exploit the unsafe deserialization to run the payload and gain remote code execution on the server.

LangGraph maintainers describe CVE-2026-28277 as post-exploitation: successful abuse requires the ability to write attacker-controlled checkpoint data and convert that into code execution in the application runtime. They add that this escalation from write access to code execution could expose runtime secrets or reachable systems. They also note that typical hosted configurations are designed to prevent tampering with the checkpoint persistence layer, and that LangSmith-hosted deployments are not at risk.

The broader lesson, per Check Point: familiar classes like SQL injection become more dangerous inside AI agent frameworks that carry elevated access and trust, increasing the chance of sensitive data exposure.

Actions to take

  • Apply the latest fixes for affected LangGraph components.
  • Enable authentication on self-hosted LangGraph servers.
  • Avoid long-lived static secrets.
  • Enforce network segmentation.
  • Treat AI agents as privileged identities.
  • Apply least privilege (PoLP) to minimize agent access.

Reference: View article