← All Posts LangGraph RCE Flaw: Patch Your Self-Hosted AI Agent Now
securityAI toolsopen source

LangGraph RCE Flaw: Patch Your Self-Hosted AI Agent Now

June 13, 2026

LangGraph has 50 million monthly downloads. Researchers just found a way to chain three vulnerabilities in its persistence layer into full remote code execution — and your LLM API keys are likely sitting in that same process.

Check Point Research disclosed the full chain on June 11. All three CVEs are now patched, but only if you upgrade manually.

What LangGraph's Checkpointer Actually Does

LangGraph stores agent state between steps using a checkpointer — essentially the AI agent's memory. The default options are SQLite and Redis. That checkpointer sits at the core of every stateful agent you build with the framework.

The problem: that persistence layer wasn't locked down.

The Three CVEs

CVE-2025-67644 (CVSS 7.3) — SQL injection in LangGraph's SQLite checkpoint implementation. Attackers can manipulate SQL queries through metadata filter keys passed to get_state_history().

CVE-2026-28277 (CVSS 6.8) — Unsafe msgpack deserialization when LangGraph loads a checkpoint. An attacker who can modify checkpoint data can trigger object reconstruction.

CVE-2026-27022 (CVSS 6.5) — RediSearch query injection in @langchain/langgraph-checkpoint-redis, allowing access control bypass on the Redis checkpointer.

On their own, none of these are catastrophic. Chained together, they are.

How the Chain Works

The first flaw is the SQL injection in the SQLite checkpointer's _metadata_predicate() function. On its own, that would be serious. But the second vulnerability results in a full server compromise — CVE-2026-28277 is an unsafe msgpack deserialization flaw in LangGraph's checkpoint loading mechanism.

The attack hinges on the application exposing the get_state_history() endpoint, which allows an attacker to retrieve historical checkpoints based on their metadata. From there, the SQLi lets them load a malicious checkpoint blob, and the deserialization flaw executes arbitrary code when that blob is loaded.

What's at Risk

If exploited, attackers can gain access to LLM API keys, customer data, conversation histories, and credentials connected to external systems such as CRMs and internal APIs. A compromised server can also serve as a pivot point for further attacks on internal networks.

This isn't theoretical. Any agent with database access, webhook integrations, or secrets in environment variables is handing all of that to an attacker who gets in.

The LLM agent CVE pattern is familiar at this point — classic vulnerability classes become exponentially more dangerous inside agent runtimes that hold elevated access and long-lived credentials.

Who's Actually Vulnerable

Teams self-hosting LangGraph with the SQLite or Redis checkpointer, where the application exposes get_state_history() with a user-controlled filter. LangChain's managed cloud service, LangSmith Deployment, runs PostgreSQL and is not vulnerable.

If you're using LangSmith's hosted platform, you're fine. If you're running your own deployment — patch now.

LangChain Path Traversal: The Other CVE

Dropped the same week: CVE-2026-34070 (CVSS 7.5) — a path traversal vulnerability in LangChain's langchain_core/prompts/loading.py that allows access to arbitrary files without any validation via its prompt-loading API, by supplying a specially crafted prompt template.

Successful exploitation can read sensitive files like Docker configurations and siphon sensitive secrets via prompt injection. If you pass any user-controlled input into LangChain's prompt loading functions, you're exposed.

What to Update

All three CVEs have been patched:

  • CVE-2025-67644 → upgrade to langgraph-checkpoint-sqlite ≥ 3.0.1
  • CVE-2026-28277 → upgrade to langgraph ≥ 1.0.10
  • CVE-2026-27022 → upgrade to langgraph-checkpoint-redis ≥ 1.0.2

For the LangChain path traversal: update langchain-core to version 1.2.22.

Run your upgrades, then audit any code that passes external or user-controlled input into get_state_history() or LangChain's prompt loading API. And treat a compromised agent runtime with the same urgency as a compromised privileged account — because that's effectively what it is.

Sources: Check Point Research, The Hacker News