Vulnerability Chain Overview
Researchers have uncovered a set of three interconnected security flaws in LangGraph, an open source framework for building AI agent applications. The vulnerabilities, when chained together, allow attackers to achieve remote code execution on self-hosted servers. The flaws affect specific versions of LangGraph’s checkpoint storage components, including an SQL injection issue (CVE-2025-67644) in the SQLite checkpoint implementation, an unsafe deserialization flaw (CVE-2026-28277), and a query injection vulnerability (CVE-2026-27022) in the Redis checkpoint system.
Exploitation Method and Impact
The attack chain exploits the application’s ability to retrieve historical checkpoint data. An attacker first injects a malicious filter parameter through the SQL injection vulnerability, causing the system to return a fake checkpoint row containing attacker controlled serialized data. When the application processes this data, the unsafe deserialization flaw triggers execution of arbitrary code. The vulnerability chain is only exploitable in self-hosted deployments using SQLite or Redis checkpointers with user-controlled filter input. LangChain’s managed cloud platform is not affected. Users are advised to apply the latest patches and implement authentication and network segmentation for self-hosted installations.
Source: https://thehackernews.com/2026/06/langgraph-flaw-chain-exposes-self.html
