LangGraph Flaw Chain Exposes Autonomous AI Agents to Remote Code Execution
Cybersecurity researchers have disclosed details of three now-patched security flaws affecting LangGraph, including a critical chain of vulnerabilities that could result in remote code execution.
LangGraph is an open source framework created by LangChain to build complex, expressive, and multi-agent artificial intelligence (AI) applications.
“SQL injection into the LangGraph function could allow attackers to gain complete control over remote server code by exploiting weaknesses in the way the system processes and handles data,” Check Point said.
The list of weaknesses identified is as follows:-
- CVE-2025-67644 (CVSS score: 7.3) – An SQL injection vulnerability exists in the implementation of the SQLite test environment for LangGraph that allows attackers to execute SQL queries with metadata filtering keys. (Affects langgraph-checkpoint-sqlite versions before 3.0.1)
- CVE-2026-28277 (CVSS score: 6.8) – An unsafe deserialization msgpack vulnerability in LangGraph that can be used to trigger object reconstruction if a checkpoint is loaded by an attacker who can modify the checkpoint data. (Affects langgraph versions before 1.0.10)
- CVE-2026-27022 (CVSS score: 6.5) – RediSearch Query Injection in @langchain/langgraph-checkpoint-redis that can be used to bypass access controls. (Affects @langchain/langgraph-checkpoint-redis versions before 1.0.1)
“The vulnerability chain is exploitable in self-hosted deployments using SQLite or Redis checkpointer with user-controlled filter input,” Check Point said. “The platform managed by LangChain (LangSmith Deployment), is not affected.”
Security researcher Yarden Porat, who is said to have discovered and reported all three flaws, said CVE-2025-67644 and CVE-2026-28277 can be tied to remote code exploits.
Specifically, the attack chain relies on an application that exposes the get_state_history() endpoint, which allows the attacker to retrieve historical checkpoints based on their metadata. It requires the following steps –
- An attacker prepares a msgpack payload containing instructions to execute malicious code.
- An attacker sends a malicious filter parameter that uses an SQL injection vulnerability to return a fake checkpoint row in the database query results, where the checkpoint column contains serialized data controlled by the attacker.
- When the application processes the results of the query, it deletes the malicious checkpoint BLOB.
- An attacker exploits an insecure deserialization vulnerability to extract the attacker’s payload, giving him remote code execution on the server.
LangGraph described CVE-2026-28277 as a post-exploitation issue, where a successful exploit requires the ability to write checkpoint data controlled by an attacker and convert that into code execution at application runtime, and does not cause any risks to existing applications hosted by LangSmith.
In such a case, this escalation from write access to the test store” to code execution may “expose runtime secrets or provide access to other systems that the runtime can access,” said LangGraph maintainers. “The threat model described requires an attacker to disrupt the test continuity layer used by the deployment; standard hosting settings are designed to prevent such access.”
Check Point said the findings show how powerful classic vulnerabilities like SQL injection can be when they are seen inside AI agent frameworks that carry high levels of access and trust, thus opening the door to the exposure of sensitive data.
Users are advised to use the latest fixes, use LangGraph self-hosted authentication, avoid long-standing static secrets, enforce network isolation, treat AI agents as exclusive identities, and use least privilege principle (PoLP) to limit agent access.
