[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fmYVRisb3CMWvde9VPkkz-Lv2n64eCv0Xqo2HOKo7mPM":3},{"article":4,"iocs":49},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":26,"category":27,"article_tags":31},"9e54a67b-9198-41cb-8fec-2d31f78a013c","LangGraph Flaw Chain Exposes Self-Hosted AI Agents to Remote Code Execution","langgraph-flaw-chain-exposes-self-hosted-ai-agents-to-remote-code-execution-b65eff","Cybersecurity researchers have disclosed details of three now-patched security flaws impacting LangGraph, including a critical vulnerability chain that could result in remote code execution. LangGraph is an open-source framework created by LangChain to build complex, stateful, and multi-agent artificial intelligence (AI) agentic applications. \"An SQL injection in LangGraph's function could","Cybersecurity researchers have disclosed three vulnerabilities in the open-source LangGraph framework, used for building AI agent applications. A critical vulnerability chain, combining SQL injection and unsafe deserialization, allows for remote code execution on self-hosted deployments using SQLite or Redis checkpointers. LangChain's managed platform, LangSmith, is not affected.","Three patched flaws in LangGraph, including a critical RCE chain, affect self-hosted AI agents.","LangGraph Flaw Chain Exposes Self-Hosted AI Agents to Remote Code Execution Ravie LakshmananJun 12, 2026Vulnerability \u002F AI Security Cybersecurity researchers have disclosed details of three now-patched security flaws impacting LangGraph, including a critical vulnerability chain that could result in remote code execution. LangGraph is an open-source framework created by LangChain to build complex, stateful, and multi-agent artificial intelligence (AI) agentic applications. \"An SQL injection in LangGraph's function could allow attackers to gain full control via remote code execution of a server by exploiting weaknesses in how the system processes and handles data,\" Check Point said. The list of identified vulnerabilities is as follows - CVE-2025-67644 (CVSS score: 7.3) - A SQL injection vulnerability exists in LangGraph's SQLite checkpoint implementation that allows attackers to manipulate SQL queries through metadata filter keys. (Affects langgraph-checkpoint-sqlite versions before 3.0.1) CVE-2026-28277 (CVSS score: 6.8) - An unsafe msgpack deserialization vulnerability in LangGraph that could be used to trigger object reconstruction when a checkpoint is loaded by an attacker who can modify checkpoint data. (Affects langgraph versions before 1.0.10) CVE-2026-27022 (CVSS score: 6.5) - A RediSearch Query Injection in @langchain\u002Flanggraph-checkpoint-redis that can be used to bypass access controls. (Affects @langchain\u002Flanggraph-checkpoint-redis versions before 1.0.1) \"The vulnerability chain is exploitable in self-hosted deployments using the SQLite or Redis checkpointer with user-controlled filter input,\" Check Point said. \"LangChain's managed platform (LangSmith Deployment), is not affected.\" Security researcher Yarden Porat, who is credited with discovering and reporting all three flaws, said CVE-2025-67644 and CVE-2026-28277 could be chained to achieve remote code execution. Specifically, the attack chain hinges on the application exposing the get_state_history() endpoint, which then allows an attacker to retrieve historical checkpoints based on their metadata. It requires the following steps - The attacker prepares a msgpack payload containing instructions to execute arbitrary code. The attacker sends a malicious filter parameter that exploits the SQL injection vulnerability to return a fake checkpoint row to the database query results, where the checkpoint column contains attacker-controlled serialized data. When the application processes the query results, it deserializes the malicious checkpoint's BLOB. The attacker exploits the unsafe deserialization vulnerability to execute the attacker's payload, giving them remote code execution on the server. LangGraph has described CVE-2026-28277 as a post-exploitation issue, where successful exploitation requires the ability to write attacker-controlled checkpoint data and turn that into code execution in the application runtime, and it does not pose any risks to existing LangSmith-hosted deployments. In such a scenario, this escalation from write access to checkpoint store\" to code execution may \"expose runtime secrets or provide access to other systems the runtime can reach,\" LangGraph maintainers said. \"The described threat model requires an attacker to tamper with the checkpoint persistence layer used by the deployment; typical hosted configurations are designed to prevent such access.\" Check Point said the findings illustrate how classic vulnerability classes like SQL injection can become more potent when they manifest inside AI agent frameworks that carry elevated access and trust, thereby opening the door to sensitive data exposure. Users are advised to apply the latest fixes, implement authentication for self-hosted LangGraph servers, avoid long-lived static secrets, enforce network segmentation, treat AI agents as privileged identities, and apply the principle of least privilege (PoLP) to limit the agent's access footprint. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Access Control, AI Agent, cybersecurity, Deserialization, LangChain, LangGraph, Redis, remote code execution, SQL Injection, SQLite ⚡ Top Stories This Week Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now New FROST Attack Lets Websites Track What Sites and Apps You Open via SSD Timing One-Character Linux Kernel Flaw Enables Local Root Access, Exploits Now Public ⚡ Weekly Recap: Instagram Account Hacks, Android Zero-Day, GitHub Worm and More New ChatGPT Lockdown Mode Limits Tools That Could Enable Data Exfiltration Free Apps Are Quietly Turning Smart TVs Into Web-Scraping Proxies for AI AI Agent Uncovers 21 Zero-Days in FFmpeg; Chrome Patches Record 429 Bugs Miasma Worm Hits 73 Microsoft GitHub Repositories in Major Supply Chain Attack Cisco Patches CVE-2026-20230 in Unified CM as Exploit Code Goes Public Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories Microsoft Fixes One-Click GitHub Dev Attack That Let Attackers Steal OAuth Tokens Autonomous AI Tool Finds 2-Year-Old RCE Flaw in Redis (CVE-2026-23479) Microsoft 365 Android Apps Let Any App Steal Account Tokens via Leftover Debug Flag Unpatched Windows Search URI Vulnerability Lets Attackers Steal NTLMv2 Hashes New HTTP\u002F2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy and Cloudflare ThreatsDay Bulletin: AI Agents Gone Wrong, Sketchy C2 Tools, ClickFix Tricks, JS Backdoors + 20 New Stories ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale Catch 88% of Malware Threats in Under 60 Seconds with Live Sandbox Analysis [Guide] Transform Network Operations with Intelligent Workflows See How Agentic AI Cuts Your SOC Triage Time in Half [Get a Demo]","https:\u002F\u002Fthehackernews.com\u002F2026\u002F06\u002Flanggraph-flaw-chain-exposes-self.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEifnUd6CRFC-YdhoEDgmNoLtKUYjbZvqQJOETqK59Zd5Pk_epd9uGMfPCrujB3grOrajNxMls_p7TWQwnyCxFo1Ou8MM70yUh3dP04776sp-xk3O8544Z9YD-v_konqCTv1eX_42iMBkr4j5c-h0_I5dyBWvrr_3jrphGH3xLcZgaDAN1uH8OA5rWerJE5B\u002Fs1600\u002Flanggraph.jpg","2026-06-12T09:50:36+00:00","2026-06-12T10:00:14.563838+00:00",8,[18,21,24],{"name":19,"type":20},"LangGraph","product",{"name":22,"type":23},"LangChain","vendor",{"name":25,"type":20},"LangSmith","80544778-fabb-4dcd-aa35-17492e5dcf4f",{"id":26,"icon":28,"name":29,"slug":30},null,"Vulnerabilities","vulnerabilities",[32,34,39,44],{"category":33},{"id":26,"icon":28,"name":29,"slug":30},{"category":35},{"id":36,"icon":28,"name":37,"slug":38},"839da5c1-3c34-47e2-9499-f7201640e3ac","AI Security","ai-security",{"category":40},{"id":41,"icon":28,"name":42,"slug":43},"ade75414-7914-4e23-a450-48b64546ee70","Open Source","open-source",{"category":45},{"id":46,"icon":28,"name":47,"slug":48},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[50,54,57],{"type":51,"value":52,"context":53},"cve","CVE-2025-67644","SQL injection vulnerability in LangGraph's SQLite checkpoint implementation.",{"type":51,"value":55,"context":56},"CVE-2026-28277","Unsafe msgpack deserialization vulnerability in LangGraph.",{"type":51,"value":58,"context":59},"CVE-2026-27022","RediSearch Query Injection in @langchain\u002Flanggraph-checkpoint-redis."]