LangGraph SQL Injection to RCE — Checkpointer Chain Exposes Agent State
AI relevance: LangGraph's agent memory layer — the checkpointer that persists execution state — contains a SQL injection that chains with unsafe deserialization to give attackers remote code execution on the agent server.
What Happened
- Check Point Research disclosed three vulnerabilities in LangGraph's persistence layer (checkpointers) that chain to full remote code execution.
- CVE-2025-67644 (CVSS 7.3) — SQL injection in the SQLite checkpointer. The
get_state_history()function builds WHERE clauses by concatenating user-controlled filter keys directly into SQL with no parameterization or escaping. - CVE-2026-28277 (CVSS 6.8) — Unsafe deserialization in LangGraph's msgpack checkpoint decoder. The decoder rebuilds Python objects from stored data and can import modules + call functions with attacker-supplied arguments.
- CVE-2026-27022 (CVSS 6.5) — Same deserialization flaw, but reachable through the Redis checkpointer instead of SQLite.
- The chain: SQL injection writes a fabricated checkpoint row → LangGraph loads the forged row as legitimate → msgpack decoder executes the specified function (e.g.,
os.system) → code runs under the agent server's identity. - LangGraph has exceeded 50 million monthly downloads. The SQLite checkpointer is the default persistence layer for self-hosted deployments.
- Exposure condition: self-hosted LangGraph on SQLite or Redis checkpointer with untrusted input reaching
get_state_history()or similar history endpoints. LangSmith's managed PostgreSQL backend is not affected.
Why It Matters
LangGraph is the memory layer for production AI agents. The checkpointer stores execution state — including tool calls, intermediate reasoning, and sometimes credentials passed through agent context. An attacker who gains RCE on the agent server inherits access to everything the agent can see: API keys, database connections, CRM tokens, and the ability to issue further tool calls. The attack requires no authentication on the checkpointer itself. The SQL injection is the only prerequisite. This is not a theoretical chain — Check Point published a working proof-of-concept. The exploit is ordinary AppSec (SQL injection + unsafe deserialization) living inside new AI infrastructure that security teams have not yet scoped as a trust boundary.
What to Do
- Upgrade immediately: langgraph-checkpoint-sqlite to ≥ 3.0.1, langgraph to ≥ 1.0.10, langgraph-checkpoint-redis to ≥ 1.0.2.
- Audit exposure: Identify any LangGraph deployment where untrusted input can reach checkpoint history endpoints. If you self-host on SQLite or Redis, you are in scope.
- Restrict checkpoint access: Put checkpoint endpoints behind authentication. Do not expose them to the internet without auth.
- Review agent secrets: If your agent passes API keys, database credentials, or tokens through checkpoint state, rotate them — especially if you discover evidence of unauthorized checkpoint writes.
- Monitor checkpoint writes: Log all
put()operations on the checkpointer. Alert on unexpected filter keys or malformed checkpoint data.