Fri, 12 Jun 2026
β BackCybersecurity researchers have disclosed details of three now-patched security flaws impacting LangGraph, including a critical vulnerability chain that could result in remote code execution. LangGraph is an open-source framework created by LangChain to build complex, stateful, and multi-agent artificial intelligence (AI) agentic applications. "An SQL injection in LangGraph's function could allow attackers to gain full control via remote code execution of a server by exploiting weaknesses in how the system processes and handles data," Check Point said. The list of identified vulnerabilities is as follows - "The vulnerability chain is exploitable in self-hosted deployments using the SQLite or Redis checkpointer with user-controlled filter input," Check Point said.
"LangChain's managed platform (LangSmith Deployment), is not affected." Security researcher Yarden Porat, who is credited with discovering and reporting all three flaws, said CVE-2025-67644 and CVE-2026-28277 could be chained to achieve remote code execution. Specifically, the attack chain hinges on the application exposing the get_state_history() endpoint, which then allows an attacker to retrieve historical checkpoints based on their metadata. It requires the following steps - LangGraph has described CVE-2026-28277 as a post-exploitation issue, where successful exploitation requires the ability to write attacker-controlled checkpoint data and turn that into code execution in the application runtime, and it does not...
Cybersecurity researchers have disclosed details of three now-patched security flaws impacting LangGraph, including a critical vulnerability chain that could result in remote code execution. LangGraph is an open-source framework created by LangChain to build complex, stateful, and multi-agent artificial intelligence (AI) agentic applications. "An SQL injection in LangGraph's function could allow attackers to gain full control via remote code execution of a server by exploiting weaknesses in how the system processes and handles data," Check Point said. The list of identified vulnerabilities is as follows - "The vulnerability chain is exploitable in self-hosted deployments using the SQLite or Redis checkpointer with user-controlled filter input," Check Point said.
"LangChain's managed platform (LangSmith Deployment), is not affected." Security researcher Yarden Porat, who is credited with discovering and reporting all three flaws, said CVE-2025-67644 and CVE-2026-28277 could be chained to achieve remote code execution. Specifically, the attack chain hinges on the application exposing the get_state_history() endpoint, which then allows an attacker to retrieve historical checkpoints based on their metadata. It requires the following steps - LangGraph has described CVE-2026-28277 as a post-exploitation issue, where successful exploitation requires the ability to write attacker-controlled checkpoint data and turn that into code execution in the application runtime, and it does not pose any risks to existing LangSmith-hosted deployments. In such a scenario, this escalation from write access to checkpoint store" to code execution may "expose runtime secrets or provide access to other systems the runtime can reach," LangGraph maintainers said.
"The described threat model requires an attacker to tamper with the checkpoint persistence layer used by the deployment; typical hosted configurations are designed to prevent such access." Check Point said the findings illustrate how classic vulnerability classes like SQL injection can become more potent when they manifest inside AI agent frameworks that carry elevated access and trust, thereby opening the door to sensitive data exposure. Users are advised to apply the latest fixes, implement authentication for self-hosted LangGraph servers, avoid long-lived static secrets, enforce network segmentation, treat AI agents as privileged identities, and apply the principle of least privilege (PoLP) to limit the agent's access footprint. Learn how to map hidden AI tools and agents directly to human owners. Join SailPoint to unify human, machine, and AI identities.
Learn how to validate automated pentesting results for accurate security decisions. Get the latest news, expert insights, exclusive resources, and strategies from industry leaders, all for free.