LangGraph Flaw Chain Enables Remote Code Execution in Self-Hosted AI Agents

Cybersecurity researchers at Check Point have disclosed three now-patched vulnerabilities in LangGraph, the open-source framework from LangChain used to build stateful, multi-agent AI applications. When chained together, the most critical flaws—CVE-2025-67644 (CVSS 7.3) and CVE-2026-28277 (CVSS 6.8)—can be weaponized to achieve full remote code execution on self-hosted servers. The third flaw, CVE-2026-27022 (CVSS 6.5), is a RediSearch query injection in @langchain/langgraph-checkpoint-redis that can be used to bypass access controls. LangChain's managed LangSmith platform is not affected; only self-hosted deployments using SQLite or Redis checkpointers with user-controlled filter input are at risk. Security researcher Yarden Porat is credited with discovering and reporting all three flaws.

The attack chain begins with CVE-2025-67644, an SQL injection vulnerability in LangGraph's SQLite checkpoint implementation that allows attackers to manipulate SQL queries through metadata filter keys. An attacker who can reach the get_state_history() endpoint crafts a malicious filter parameter that returns a fabricated checkpoint row containing attacker-controlled serialized data. The exploit then pivots to CVE-2026-28277, an unsafe msgpack deserialization flaw where the application deserializes the malicious BLOB upon processing the poisoned query results—triggering arbitrary code execution on the underlying server. Operators running exposed LangGraph instances should immediately confirm they are running langgraph-checkpoint-sqlite 3.0.1 or later, langgraph 1.0.10 or later, and @langchain/langgraph-checkpoint-redis 1.0.1 or later. Use a port scanner to verify that internal checkpoint and agent endpoints are not inadvertently exposed to the public internet.

LangGraph maintainers characterized CVE-2026-28277 as a post-exploitation issue requiring prior write access to the checkpoint store, framing the escalation to code execution as a secondary concern. However, the practical reality for self-hosted operators is that any untrusted input reaching the metadata filter surface creates a viable entry point—especially in production AI agent deployments where multiple users or external systems may interact with the same LangGraph instance. Defenders should audit their deployment topology, enforce strict network segmentation around checkpoint stores, and validate that TLS is properly configured on all agent endpoints using an SSL/TLS checker. Given the speed at which AI agent frameworks are adopted, this chain underscores the need for routine vulnerability scanning and strict access controls on self-hosted AI infrastructure, alongside a broader privacy checkup of all internet-facing services in the same environment.