A critical vulnerability chain discovered in LangGraph, a popular open-source AI agent framework developed by the creators of LangChain, could allow attackers to gain full server control through remote code execution (RCE).
The issue, identified by Check Point Research, highlights how traditional vulnerabilities can become significantly more dangerous when embedded in AI-driven systems that manage sensitive data and workflows.
LangGraph is widely used to build stateful AI agents that can manage multi-step processes using large language models (LLMs).
With around 46.5 million monthly downloads, the framework is deployed across thousands of production environments, including enterprise automation, customer support systems, and internal business applications.
Vulnerability Chain in LangGraph
This widespread adoption increases the potential impact of any security weakness. The vulnerability originates in LangGraph’s checkpointing mechanism, which stores and retrieves the execution state of AI agents.
LangGraph’s SQLite checkpointer stores agent state, checkpoints, and metadata (source: Checkpoint )
Checkpoint researchers found that the get_state_history() function contains an SQL injection flaw in its filter parameter, allowing attackers to manipulate database queries.
While SQL injection alone is a serious issue, the risk becomes critical when combined with a second flaw involving unsafe msgpack deserialization.
By chaining these vulnerabilities, an attacker can inject malicious data into the system and cause it to execute during deserialization.
This results in full remote code execution on the server. The attack path demonstrates how multiple moderate flaws can combine into a severe compromise when they exist within core components of AI frameworks.
Three CVEs have been assigned to track the vulnerabilities.
CVE-2025-67644: SQLite injection vulnerability in the checkpointer component.
CVE-2026-28277: Remote code execution via msgpack deserialization.
CVE-2026-27022: Redis injection vulnerability in alternative checkpointer backend.
The vulnerability chain primarily affects self-hosted deployments that use SQLite or Redis checkpointers with user-controlled input.
Attack chain (source: Checkpoint )
LangChain’s managed platform, LangSmith, is not impacted. If exploited, attackers can gain access to sensitive assets managed by the AI agent. This includes LLM API keys, customer data, conversation histories, and credentials connected to external systems such as CRMs and internal APIs.
Additionally, the compromised server can serve as a pivot point for further attacks on internal networks, significantly expanding the threat scope.
All vulnerabilities have been patched, and users are strongly advised to upgrade immediately. Secure versions include langgraph-checkpoint-sqlite 3.0.1 or later, langgraph 1.0.10 or later, and langgraph-checkpoint-redis 1.0.2 or later.
This discovery reinforces a growing concern in AI security: traditional vulnerabilities like SQL injection can have far more severe consequences when they exist in systems that operate with elevated privileges and broad access to sensitive data.
The post Critical Vulnerability Chain in LangGraph Allows Attackers to Gain Full Server Control appeared first on Cyber Security News.
