{"slug": "langgraph-rce-patch-your-ai-agent-checkpointers-now", "title": "LangGraph RCE: Patch Your AI Agent Checkpointers Now", "summary": "Three vulnerabilities in LangGraph's checkpointer, disclosed on June 12, allow attackers to chain SQL injection into remote code execution on self-hosted servers using SQLite or Redis backends. The flaws, discovered by Check Point Research, expose sensitive AI agent state including API keys and customer data. Patches are available for all affected packages; immediate update is recommended.", "body_md": "LangGraph’s checkpointer — the feature that gives your AI agents persistent memory across sessions — just became the attack surface. Three now-patched vulnerabilities [disclosed on June 12](https://thehackernews.com/2026/06/langgraph-flaw-chain-exposes-self.html) allow attackers to chain a SQL injection into full remote code execution on self-hosted LangGraph servers. If you’re running LangGraph on your own infrastructure with the SQLite or Redis checkpointer, read this before doing anything else today.\n\n## Two Flaws, One Very Bad Outcome\n\nThe vulnerability chain, discovered by [Check Point Research security researcher Yarden Porat](https://research.checkpoint.com/2026/from-sqli-to-rce-exploiting-langgraphs-checkpointer/), combines two weaknesses in LangGraph’s SQLite checkpoint persistence layer.\n\n**CVE-2025-67644 (CVSS 7.3) — SQL injection in the SQLite checkpointer.** The `_metadata_predicate()`\n\nfunction builds a SQL WHERE clause from metadata filter keys without sanitizing them. An attacker who controls the filter values passed to `get_state_history()`\n\ncan inject a UNION clause, forcing the query to return an attacker-crafted row instead of real checkpoint data.\n\n**CVE-2026-28277 (CVSS 6.8) — Unsafe msgpack deserialization.** After the injected SQL returns a fake checkpoint row, LangGraph deserializes it by calling `loads_typed(\"msgpack\", checkpoint)`\n\n. The deserialization hook, `_msgpack_ext_hook()`\n\n, reconstructs Python objects without validating their types. An attacker-crafted payload can reconstruct a Python object that calls `os.system()`\n\non instantiation.\n\nThe full call chain:\n\n```\nget_state_history() → sqliteSaver.list() → UNION-injected SQL → loads_typed(\"msgpack\") → _msgpack_ext_hook() → os.system()\n```\n\nA third flaw, CVE-2026-27022 (CVSS 6.5), introduces the same injection class into the Redis checkpointer via RediSearch query injection. It does not chain to RCE on its own, but it can bypass access controls on Redis-backed deployments.\n\n## What Attackers Actually Get\n\nRemote code execution on a LangGraph server is worse than RCE on most other servers, because AI agent state is uniquely sensitive. LangGraph checkpoints accumulate everything the agent has ever touched: LLM API keys, full conversation and decision history, CRM credentials passed to tools, customer PII stored in agent state, and database connection strings. One compromised checkpointer and an attacker has the keys to your entire AI-powered stack.\n\n## Are You Affected?\n\nThe vulnerability chain only fires under specific conditions:\n\n- You are running LangGraph self-hosted (LangSmith/LangGraph Platform uses PostgreSQL and is not affected)\n- You are using the SQLite or Redis checkpointer backend\n- User-controlled input reaches the filter parameters of\n`get_state_history()`\n\nIf you’re using the in-memory `MemorySaver`\n\nor managed LangGraph Platform, you’re not affected. That said, many teams that followed LangGraph tutorials defaulted to SQLite — it’s the path of least resistance. Assume you’re affected until you verify otherwise.\n\n## Patch Now: Three Packages\n\nAll three vulnerabilities are patched. Check the [official GitHub security advisory](https://github.com/langchain-ai/langgraph/security/advisories/GHSA-wwqv-p2pp-99h5) and update immediately:\n\n`langgraph`\n\n→ 1.0.10 or later`langgraph-checkpoint-sqlite`\n\n→ 3.0.1 or later`@langchain/langgraph-checkpoint-redis`\n\n→ 1.0.2 or later\n\n```\npip install \"langgraph>=1.0.10\" \"langgraph-checkpoint-sqlite>=3.0.1\"\n```\n\nIf you cannot patch immediately: stop exposing `get_state_history()`\n\nto user-controlled filter input, or validate and allowlist all metadata filter keys before they reach LangGraph. Running LangGraph processes under minimal OS permissions also limits damage post-RCE.\n\n## The Bigger Picture\n\nThis is the second major LangChain ecosystem security incident in six months. In December 2025, Porat discovered CVE-2025-68664 in LangChain Core — a serialization injection flaw with a CVSS score of 9.3 that earned a $4,000 bug bounty, the highest ever paid for a LangChain report. Six months later, another serialization issue in the same ecosystem.\n\nThe pattern is worth naming: AI agent frameworks are being deployed faster than they’re being hardened. Teams moved fast on [LangGraph tutorials](https://byteiota.com/langgraph-for-ai-agents-build-production-ready-workflows/) — reasonable, given how useful the framework is — but didn’t audit the persistence layer because it felt like plumbing. It is plumbing. Plumbing that serializes Python objects, executes SQL, and holds your API keys. That deserves the same security attention as any other database-backed service.", "url": "https://wpnews.pro/news/langgraph-rce-patch-your-ai-agent-checkpointers-now", "canonical_source": "https://byteiota.com/langgraph-rce-patch-ai-agent-checkpointers/", "published_at": "2026-06-15 06:09:07+00:00", "updated_at": "2026-06-15 06:17:11.139592+00:00", "lang": "en", "topics": ["ai-safety", "ai-agents", "ai-infrastructure"], "entities": ["LangGraph", "Check Point Research", "Yarden Porat", "SQLite", "Redis", "LangSmith", "LangChain"], "alternates": {"html": "https://wpnews.pro/news/langgraph-rce-patch-your-ai-agent-checkpointers-now", "markdown": "https://wpnews.pro/news/langgraph-rce-patch-your-ai-agent-checkpointers-now.md", "text": "https://wpnews.pro/news/langgraph-rce-patch-your-ai-agent-checkpointers-now.txt", "jsonld": "https://wpnews.pro/news/langgraph-rce-patch-your-ai-agent-checkpointers-now.jsonld"}}