Key Findings:
- Check Point Research identified a critical vulnerability chain in LangGraph, an open-source framework from the creators of LangChain that enables developers to build complex, stateful, and controllable AI agent workflows using LLMs; they have approximately 46.5 million monthly downloads, making it one of the most widely adopted AI agent platforms in the world.
- An SQL injection in LangGraph’s function could allow attackers to gain full control via remote code execution of a server by exploiting weaknesses in how the system processes and handles data. A compromised LangGraph server exposes everything the agent touches, including LLM API keys, customer data, CRM credentials, conversation history, and internal network access.
- Three CVEs were assigned: CVE-2025-67644 (SQLite injection), CVE-2026-28277 (msgpack deserialization RCE), and CVE-2026-27022 (Redis injection). All have been patched in upgraded versions.
- The vulnerability chain is exploitable in self-hosted deployments using the SQLite or Redis checkpointer with user-controlled filter input. LangChain’s managed platform (LangSmith Deployment), is not affected .
- This research demonstrates a broader pattern: classic vulnerability classes like SQL injection become significantly more dangerous when they appear inside AI agent frameworks that carry elevated access and trust.
Check Point Research discovered how a single overlooked API in LangGraph, one of the world’s most widely used AI agent frameworks, can hand an attacker complete control of your AI infrastructure.
LangGraph is not a niche tool. With close to 46.5 million downloads last month alone, it powers AI agents across thousands of production environments, from customer support automation to internal enterprise workflows. That kind of adoption means any security issue in it is worth paying close attention to.
When Check Point Research set out to understand how AI agent frameworks handle persistence and state, we did not expect to find a path to full remote code execution. But that is exactly what we uncovered inside LangGraph, hidden in the component responsible for saving and retrieving agent memory.
How AI agents remember things
Unlike a simple chatbot, a stateful AI agent needs to remember what it has done across multiple steps. LangGraph handles this through a component called a checkpointer, a persistence layer that saves the agent’s execution state at each step so it can be retrieved later.
This is where our research focused. The checkpointer is deeply embedded in how LangGraph operates, and any vulnerability here sits directly in the execution path of the entire agent workflow.
Our team discovered that LangGraph’s get_state_history() function, which retrieves historical agent checkpoints, contains an SQL injection vulnerability in its filter parameter. On its own, that is already serious. But chained with a second vulnerability in how LangGraph deserializes checkpoint data, it becomes a path to full remote code execution.
Figure 1: SQLite checkpointer database schema used by LangGraph to store agent execution state, including thread identifiers, checkpoint data, and metadata blobs.
The chain that makes it dangerous
Individual bugs are common. What makes this research significant is how two vulnerabilities combine into something far more serious than either one alone. The SQL injection allows an attacker to manipulate which checkpoint data gets returned from the database. The deserialization vulnerability means that when LangGraph processes that returned data, an attacker-controlled payload gets executed as code on the server. Neither flaw alone tells the full story. Together, they create a clear path from a single API call to complete server compromise.
Three CVEs were assigned across the SQLite checkpointer, the Redis checkpointer, and the core deserialization mechanism. We worked directly with the LangChain team through the full disclosure process, helping design and validate the fixes.
What an attacker actually gets
Full code execution on a LangGraph server is not a contained incident. These servers hold the keys to everything the agent touches.
- LLM API keys and secrets — every key the agent uses, directly billable and abusable by the attacker
- Full conversation history — every past interaction, prompt, and response the agent has ever processed
- Connected data — CRM records, helpdesk tickets, billing details, and customer PII the agent has touched
- Network foothold — a pivot point into broader internal systems, inheriting whatever access the agent had
This is categorically different from a prompt injection attack that affects a single agent session. A compromised server means an attacker can read every conversation that agent has ever processed and hijack its behavior entirely going forward. This could effectively manipulate the AI into performing unauthorized actions, spreading of misinformation, or impersonating trusted systems. In effect, the AI shifts from being a trusted assistant to a potentially compromised tool that can create serious operational, security, and trust risks for the organization.
Figure 2: End-to-end attack chain from SQL injection in get_state_history() to remote code execution via msgpack deserialization.
Who is affected
LangGraph is a framework, not a hosted product. That means every team using it is effectively self-hosting it inside their own application. The vulnerability chain is exploitable when an application exposes get_state_history() with a user-controllable filter parameter, and uses either the SQLite or Redis checkpointer backend. LangChain’s own managed platform uses PostgreSQL and is not affected by this specific chain.
All three vulnerabilities have been fixed. Teams running the SQLite checkpointer should update to langgraph-checkpoint-sqlite 3.0.1 or later to address CVE-2025-67644. The msgpack deserialization issue, CVE-2026-28277, is resolved in langgraph 1.0.10 or later. And for those using the Redis checkpointer, CVE-2026-27022 is patched in langgraph-checkpoint-redis 1.0.2 or later. If you are running any version below these, updating the patch should be the immediate priority to prevent any impact.
Securing agentic AI: what defenders should do
These vulnerabilities are now patched, and all users should upgrade immediately. But the more durable takeaway from this research is what it reveals about how teams should be approaching AI agent security more broadly.
- Patch immediately. If you are running an affected version of LangGraph, updating is the single most important step. The patched versions are listed above.
- Put authentication in front of your LangGraph server. LangGraph self-hosted ships without built-in authentication, which means the top priority for developers is placing a reverse proxy or API gateway in front of it and avoiding direct exposure to untrusted networks. Treating it as an internal-only service materially shrinks the attack surface.
- Treat AI agents as privileged identities. Agents carry real access, interact with sensitive data, and hold credentials to SaaS applications, internal APIs, databases, and LLM providers. A compromised agent runtime should be treated with the same severity as a compromised privileged account.
- Minimize what agents can access. Apply least privilege to every credential an agent holds. The smaller the access footprint, the more contained any compromise will be. Check Point’s AI Agent Security capabilities are built around exactly this model, providing visibility and control over agent behavior, runtime trust, and lateral movement risk in agentic environments.
- Test your agentic systems the way attackers would. One of the harder lessons from this research is that the severity here came from chaining, not from any single flaw in isolation. Individual bugs get caught. Chains get missed. AI red teaming, which treats your agentic stack as an adversary would, is where that kind of emergent risk gets surfaced before it becomes a real incident. Check Point’s AI Red Teaming work is grounded in this approach, using the same adversarial reasoning that uncovered this vulnerability chain.
- Avoid long-lived static secrets. Where possible, adopt credential brokering patterns that reduce direct API key exposure and prevent secrets from leaking into prompts, logs, or agent state.
- Enforce strong network controls. Agent runtimes should sit behind proper authentication and network segmentation, not exposed as open endpoints.
Interested in how Check Point can help secure your agentic AI deployments? Contact us here.
