A significant security flaw has been identified in LangGraph, a widely-used open-source framework for AI agents, which could potentially allow attackers to execute remote code and gain complete control over targeted servers. This vulnerability was discovered by Check Point Research, highlighting the increased risk posed by traditional vulnerabilities when integrated into AI systems managing sensitive operations.
The Extent of LangGraph’s Usage
LangGraph is favored for creating AI agents capable of handling complex processes using large language models. Its popularity is evident, with approximately 46.5 million downloads each month, and it is implemented across a variety of production settings. These include enterprise automation tools, customer support platforms, and internal business applications.
The widespread use of LangGraph amplifies the consequences of any security weaknesses within it. The identified vulnerability chain specifically targets the framework’s checkpointing mechanism, responsible for storing and retrieving AI agent states.
Details of the Vulnerability Chain
Check Point researchers found that the get_state_history() function within LangGraph’s SQLite checkpointer is vulnerable to SQL injection attacks due to a flaw in its filter parameter. This issue alone poses a significant threat but becomes critical when paired with another vulnerability involving unsafe msgpack deserialization.
Exploiting these vulnerabilities in tandem allows an attacker to inject harmful data, which can then be executed upon deserialization. This chain of vulnerabilities results in full remote code execution, illustrating how seemingly moderate issues can combine to create severe security breaches within core AI framework components.
Three CVEs have been assigned to document these vulnerabilities: CVE-2025-67644, CVE-2026-28277, and CVE-2026-27022, addressing issues from SQL injection to remote code execution.
Impact and Mitigation
The vulnerabilities primarily affect self-hosted setups using SQLite or Redis checkpointers with user input. It is important to note that LangSmith, the managed platform by LangChain, remains unaffected. If exploited, these vulnerabilities can expose sensitive information managed by AI agents, such as API keys, customer data, and internal system credentials.
Moreover, compromised servers can become launch pads for further attacks within internal networks, significantly escalating the potential threat.
All identified vulnerabilities have been addressed in updated versions of the software. Users are urged to update to secure versions, including langgraph-checkpoint-sqlite 3.0.1 or later, langgraph 1.0.10 or later, and langgraph-checkpoint-redis 1.0.2 or later, to mitigate these risks immediately.
This incident underscores the critical need for robust security measures in AI frameworks, as traditional vulnerabilities can lead to severe consequences in systems with elevated access and functionality.
