LIVE THREATS
HIGH Prompt Injection via vCards and Email Enables RCE and Data Exfiltration in OpenClaw Agent // HIGH Pliny the Liberator Claims Claude Fable 5 Jailbreak via Multi-Agent Prompting // HIGH Malicious AI Agent Skills Enable Credential Theft via Unverified Supply Chain // CRITICAL LangGraph Checkpointer Vulnerabilities Chain SQLi to Full RCE // MEDIUM Deno Releases Open-Source Security Firewall to Gate AI Agent Actions // HIGH Claude Fable 5 Autonomously Hijacks Host OS Beyond Task Scope // MEDIUM Uncontrolled AI Agent Racks Up $6,531 AWS Bill Scanning Hobbyist Network // HIGH Anthropic's Hidden Capability-Limiting Policy Targeted AI Researchers Without Disclosure // HIGH Anthropic's Claude Fable 5 Ships Tiered Cyber Safeguards to Limit Offensive AI Uplift // HIGH Rogue AI Agent Infiltrates Fedora Project, Merges Malicious Code via Compromised … //
ATLAS OWASP CRITICAL Active exploitation · Immediate action required LLM Security Agentic AI Supply Chain Research RELEVANCE ▲ 9.2

LangGraph Checkpointer Vulnerabilities Chain SQLi to Full RCE

SOURCE Check Point Research ↗
TL;DR CRITICAL
  • What happened: Three LangGraph checkpointer vulnerabilities chain SQL injection with unsafe deserialization to achieve RCE.
  • Who's at risk: Teams self-hosting LangGraph with SQLite or Redis checkpointers where user input reaches the get_state_history() filter parameter.
  • Act now: Update to langgraph-checkpoint-sqlite 3.0.1+, langgraph 1.0.10+, and langgraph-checkpoint-redis 1.0.2+ immediately · Audit all application code that passes user-controlled input into get_state_history() or list() filter arguments · Restrict network access to LangGraph checkpointer backends and apply input validation at the application boundary
LangGraph Checkpointer Vulnerabilities Chain SQLi to Full RCE

Overview

Check Point Research has disclosed three vulnerabilities in LangGraph’s checkpointer persistence layer, the component responsible for storing and retrieving AI agent execution state. Two of the flaws — a SQL injection (CVE-2025-67644) and an unsafe msgpack deserialization (CVE-2026-28277) — chain together to enable unauthenticated remote code execution on self-hosted deployments. A third vulnerability (CVE-2026-27022) introduces the same injection class into the Redis checkpointer. LangGraph records over 50 million monthly PyPI downloads, making the blast radius significant for teams running their own AI agent infrastructure.

Technical Analysis

The root cause of CVE-2025-67644 lies in LangGraph’s _metadata_predicate function, which builds SQL WHERE clauses for checkpoint queries. When the list() function is called with a user-supplied filter dictionary, the dictionary’s keys are interpolated directly into a json_extract() SQL expression without parameterisation:

predicates.append(
    f"json_extract(CAST(metadata AS TEXT), '$.{query_key}') {operator}"
)

Because query_key is never sanitised, an attacker who controls the filter argument can inject arbitrary SQLite expressions. SQLite’s writefile() or similar mechanisms can then be leveraged to write attacker-controlled data to disk.

CVE-2026-28277 escalates the impact to RCE. LangGraph deserialises checkpoint payloads using msgpack without restricting object types. An attacker who can write a malicious checkpoint blob — possible via the SQLi primitive above — can craft a msgpack payload that executes arbitrary Python on deserialisation, completing the exploit chain.

CVE-2026-27022 mirrors the SQLi pattern in the Redis checkpointer, where metadata filter keys are similarly unsanitised before being used in Redis query construction.

Framework Mapping

  • AML.T0047 (ML-Enabled Product or Service): The attack surface is the LangGraph agent framework itself; exploitation requires no model access, only interaction with the persistence API.
  • AML.T0010 (ML Supply Chain Compromise): LangGraph is a foundational dependency for a large portion of the LLM application ecosystem; a vulnerable version in a shared environment propagates risk broadly.
  • LLM05 (Supply Chain Vulnerabilities): The flaws exist in a widely adopted open-source AI infrastructure package.
  • LLM07 (Insecure Plugin Design): The checkpointer acts as a plugin/extension to LangChain, and its failure to sanitise inputs exemplifies insecure plugin design at the framework level.

Impact Assessment

The critical path requires that an attacker control a value passed to get_state_history() or list() filter parameters — a realistic scenario in multi-tenant or user-facing agent deployments. LangChain’s managed LangSmith Deployment (formerly LangGraph Platform) uses PostgreSQL and is confirmed unaffected. Self-hosted deployments using SQLite or Redis checkpointers are the primary risk surface. Successful exploitation yields OS-level code execution on the host running the LangGraph process, with full access to agent memory, secrets, and downstream infrastructure.

Mitigation & Recommendations

  1. Patch immediately: Upgrade to langgraph-checkpoint-sqlite >= 3.0.1, langgraph >= 1.0.10, and langgraph-checkpoint-redis >= 1.0.2.
  2. Audit filter inputs: Identify every call site where user-controlled data reaches list() or get_state_history() filter arguments and apply strict allowlist validation.
  3. Restrict backend access: Ensure SQLite files and Redis instances are not network-accessible beyond the application process; apply principle of least privilege to host filesystem permissions.
  4. Consider managed deployment: LangChain’s cloud-managed offering is not vulnerable; teams without the capacity to maintain patched self-hosted infrastructure should evaluate migration.

References

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.