From SQLi to RCE – Exploiting LangGraph's Checkpointer
This Check Point Research article details the discovery of three critical vulnerabilities in LangGraph, a popular open-source framework for building stateful AI agents. The vulnerabilities reside in the framework's persistence layer, known as the "checkpointer." Two of the flaws chain together to enable remote code execution (RCE): a SQL injection vulnerability (CVE-2025-67644) in the SQLite checkpointer, and an unsafe deserialization issue (CVE-2026-28277) in the handling of msgpack data. A third vulnerability (CVE-2026-27022) introduces the same SQL injection class in the Redis checkpointer. The attack works by an attacker exploiting the SQL injection to inject a malicious row into database query results, which the application then deserializes unsafely, allowing arbitrary code execution. The vulnerabilities affect self-hosted instances of LangGraph that expose the `get_state_history()` function with user-controlled filters. LangChain has released patches for all three issues, and users are urged to update to the specified fixed versions.
https://research.checkpoint.com/2026/from-sqli-to-rce-exploiting-langgraphs-checkpointer
Comments
Post a Comment