LangGraph Flaw Chain Exposes Self-Hosted AI Agents to Remote Code Execution

Staff Editor 2026-06-12
LangGraph Flaw Chain Exposes Self-Hosted AI Agents to Remote Code Execution

LangGraph Flaw Chain Exposes Self-Hosted AI Agents to Remote Code Execution

https://thehackernews.com/2026/06/langgraph-flaw-chain-exposes-self.html

Publish Date: 2026-06-12 05:50:00

Source Domain: thehackernews.com

Ravie LakshmananJun 12, 2026Vulnerability / AI Security

Cybersecurity researchers have disclosed details of three now-patched security flaws impacting LangGraph, including a critical vulnerability chain that could result in remote code execution.

LangGraph is an open-source framework created by LangChain to build complex, stateful, and multi-agent artificial intelligence (AI) agentic applications.

“An SQL injection in LangGraph’s function could allow attackers to gain full control via remote code execution of a server by exploiting weaknesses in how the system processes and handles data,” Check Point said.

The list of identified vulnerabilities is as follows –

  • CVE-2025-67644 (CVSS score: 7.3) – A SQL injection vulnerability exists in LangGraph’s SQLite checkpoint implementation that allows attackers to manipulate SQL queries through metadata filter keys. (Affects langgraph-checkpoint-sqlite versions before 3.0.1)
  • CVE-2026-28277 (CVSS score: 6.8) – An unsafe msgpack deserialization vulnerability in LangGraph that could be used to trigger object reconstruction when a checkpoint is loaded by an attacker who can modify checkpoint data. (Affects langgraph versions before 1.0.10)
  • CVE-2026-27022 (CVSS score: 6.5) – A RediSearch Query Injection in @langchain/langgraph-checkpoint-redis that can be used to bypass access controls. (Affects @langchain/langgraph-checkpoint-redis versions before 1.0.1)

“The vulnerability chain is exploitable in self-hosted deployments using the SQLite or Redis checkpointer with user-controlled filter input,” Check Point said. “LangChain’s managed platform (LangSmith Deployment), is not affected.”

Security researcher Yarden Porat, who is credited with discovering and reporting all three flaws, said CVE-2025-67644 and CVE-2026-28277 could be chained to achieve remote code execution.

Specifically, the attack chain hinges on the application exposing the get_state_history() endpoint, which then allows an attacker to retrieve…

Source

More Stories

CyberCorps is adapting to AI. The budget isn’t keeping up.

CyberCorps is adapting to AI. The budget isn’t keeping up.

Staff Editor 2026-06-12
Cybersecurity Is Now a Passenger Safety Issue

Cybersecurity Is Now a Passenger Safety Issue

Staff Editor 2026-06-12
How AI is changing the breadth of cybersecurity roles

How AI is changing the breadth of cybersecurity roles

Staff Editor 2026-06-12

Terms and Conditions - Privacy Policy