Researchers have disclosed three security flaws in LangGraph, a widely used open-source framework for building AI agents, two of which can be chained together to run arbitrary code on a vulnerable server. The findings come from Check Point Research, where researcher Yarden Porat examined how the framework stores an agent's memory.
LangGraph, an extension of LangChain, sees more than 50 million downloads a month according to PyPI. It gives AI agents persistence through components called checkpointers, which save an agent's execution state at each step so it can pick up where it left off. Porat found that when that persistence layer is not locked down, it becomes an entry point for attackers.
What is affected
The risk applies to teams that self-host LangGraph using its SQLite or Redis checkpointer and expose the get_state_history() function with a user-controlled filter. According to Check Point, LangChain's managed cloud service, LangSmith Deployment (formerly LangGraph Platform), runs on PostgreSQL and is not affected.
How the attack works
The core issue (tracked as CVE-2025-67644) is a SQL injection in the SQLite checkpointer. When an application filters saved checkpoints by their metadata, an attacker-supplied filter key containing a stray quote character can break out of the intended query and inject arbitrary SQL. That alone is dangerous, but Porat showed it gets worse: by injecting a crafted UNION SELECT, an attacker can add a fake checkpoint row whose contents are then deserialized by the application.
That second step abuses an unsafe deserialization weakness (CVE-2026-28277) in how the framework unpacks msgpack-encoded data, turning the database injection into full remote code execution. A third, parallel flaw (CVE-2026-27022) introduces the same injection class into the Redis checkpointer. In short, a single attacker-controlled filter value can move from reading an agent's stored memory to running code on the host.
What you should do
LangChain has patched all three issues. Check Point urges users to update to langgraph-checkpoint-sqlite 3.0.1 or later, langgraph 1.0.10 or later, and langgraph-checkpoint-redis 1.0.2 or later. Teams that pass any user-influenced value into a checkpointer filter should treat patching as urgent, and should review whether get_state_history() and similar functions are reachable by untrusted input. The findings echo the root causes researchers keep hitting across AI developer tooling, from the AI coding agents broken at Pwn2Own Berlin to over-trusted agent identities in Microsoft Entra. Full technical detail is available in the original report.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.