Critical RCE Vulnerability Chain Disclosed in LangGraph AI Framework
A newly disclosed vulnerability chain in LangGraph, an open-source AI agent framework developed by the creators of LangChain, enables attackers to achieve remote code execution (RCE) on self-hosted deployments. With 46.5 million monthly downloads, LangGraph is widely adopted in enterprise environments, amplifying the risk of exploitation.
The flaws stem from the get_state_history() function, which retrieves agent checkpoints essentially the AI’s memory from a persistence layer. The vulnerabilities include:
- CVE-2025-67644 (CVSS 7.3): An SQL injection flaw in the SQLite checkpointer’s
_metadata_predicate()function, where user-controlled metadata filter keys are unsafely interpolated into SQL queries, allowing arbitrary SQL manipulation. - CVE-2026-28277: An unsafe msgpack deserialization flaw in the checkpoint loading mechanism. Attackers can exploit the SQL injection to inject malicious msgpack payloads, reconstructing harmful Python objects and triggering
os.system()execution. - CVE-2026-27022: A similar query injection issue in the Redis checkpointer backend.
A successful exploit grants attackers full server compromise, exposing LLM API keys, conversation histories, CRM credentials, customer PII, and internal network access far beyond the scope of a single-session prompt injection. Unlike transient attacks, this provides persistent, retrospective access to all agent operations.
The vulnerabilities affect self-hosted deployments using SQLite or Redis checkpointers with user-controllable filter input. LangChain’s managed platform (using PostgreSQL) remains unaffected. Patches are available:
- CVE-2025-67644:
langgraph-checkpoint-sqlite ≥ 3.0.1 - CVE-2026-28277:
langgraph ≥ 1.0.10 - CVE-2026-27022:
langgraph-checkpoint-redis ≥ 1.0.2
The incident underscores a growing risk in AI frameworks: traditional vulnerabilities like SQL injection become far more dangerous when embedded in systems with elevated access, long-lived secrets, and trusted identities. Organizations running LangGraph in production are advised to apply patches immediately.
Source: https://cyberpress.org/critical-langgraph-vulnerability/
LangChain cybersecurity rating report: https://www.rankiteo.com/company/langchain
"id": "LAN1781267219",
"linkid": "langchain",
"type": "Vulnerability",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Enterprises using self-hosted '
'LangGraph deployments with '
'SQLite or Redis checkpointers',
'industry': 'Technology/AI',
'name': 'LangGraph (by LangChain creators)',
'type': 'AI Framework'}],
'attack_vector': 'Exploitation of SQL injection and unsafe deserialization in '
'self-hosted LangGraph deployments',
'data_breach': {'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (PII, internal credentials, and '
'network access)',
'type_of_data_compromised': ['LLM API keys',
'Conversation histories',
'CRM credentials',
'Customer PII']},
'description': 'A newly disclosed vulnerability chain in LangGraph, an '
'open-source AI agent framework developed by the creators of '
'LangChain, enables attackers to achieve remote code execution '
'(RCE) on self-hosted deployments. The flaws stem from the '
'`get_state_history()` function, which retrieves agent '
'checkpoints (the AI’s memory) from a persistence layer. The '
'vulnerabilities include SQL injection, unsafe msgpack '
'deserialization, and query injection, allowing full server '
'compromise and exposure of LLM API keys, conversation '
'histories, CRM credentials, customer PII, and internal '
'network access.',
'impact': {'data_compromised': ['LLM API keys',
'Conversation histories',
'CRM credentials',
'Customer PII',
'Internal network access'],
'identity_theft_risk': 'High (due to exposure of customer PII)',
'operational_impact': 'Full server compromise with persistent, '
'retrospective access to all agent '
'operations',
'systems_affected': 'Self-hosted LangGraph deployments using '
'SQLite or Redis checkpointers'},
'lessons_learned': 'Traditional vulnerabilities like SQL injection become far '
'more dangerous when embedded in systems with elevated '
'access, long-lived secrets, and trusted identities.',
'post_incident_analysis': {'corrective_actions': ['Apply patches for affected '
'versions',
'Review and secure '
'persistence layers in AI '
'frameworks'],
'root_causes': ['SQL injection in SQLite '
'checkpointer',
'Unsafe msgpack deserialization',
'Query injection in Redis '
'checkpointer']},
'recommendations': 'Organizations running LangGraph in production are advised '
'to apply patches immediately.',
'references': [{'source': 'Vulnerability Disclosure'}],
'response': {'remediation_measures': 'Patches released for affected versions: '
'langgraph-checkpoint-sqlite ≥ 3.0.1, '
'langgraph ≥ 1.0.10, '
'langgraph-checkpoint-redis ≥ 1.0.2'},
'title': 'Critical RCE Vulnerability Chain Disclosed in LangGraph AI '
'Framework',
'type': 'Remote Code Execution (RCE)',
'vulnerability_exploited': ['CVE-2025-67644 (SQL Injection)',
'CVE-2026-28277 (Unsafe msgpack deserialization)',
'CVE-2026-27022 (Query Injection)']}