LangGraph RCE Flaw: When AI Agent Memory Becomes a Liability

Artificial intelligence is rapidly shifting from stateless conversational chatbots to fully autonomous, stateful agents capable of executing complex enterprise workflows.

At the heart of this transformation is LangGraph, a massively popular open-source framework from the creators of LangChain, boasting over 46.5 million monthly downloads.

LangGraph empowers developers to build sophisticated, multi-actor AI systems that remember past interactions, execute long-running tasks, and seamlessly integrate with internal enterprise databases.

However, as AI agents gain elevated privileges and access to sensitive environments, the frameworks powering them are becoming prime targets for threat actors.

Recently, a team of researchers from Check Point disclosed a critical vulnerability chain within LangGraph’s self-hosted deployment models.

By chaining together seemingly distinct flaws, attackers could achieve complete Remote Code Execution (RCE) on a compromised server.

This discovery highlights a stark reality: traditional software vulnerabilities, such as SQL injection and insecure deserialization, carry catastrophically higher risks when embedded within AI agent frameworks that hold the keys to enterprise data and large language model (LLM) APIs.

To understand the severity of the Check Point discovery, one must first understand how stateful AI agents operate. Unlike a standard stateless LLM call, an autonomous agent must remember the context of its multi-step operations. LangGraph achieves this persistence using a component known as a “checkpointer.”

The checkpointer acts as the agent’s memory bank, continuously saving the execution state, thread identifiers, and metadata at each step so the workflow can be paused, inspected, and resumed.

Because this persistence layer sits directly in the critical execution path of the entire AI workflow, any vulnerability within the checkpointer compromises the entire system. Developers typically deploy these checkpointers using backend databases like SQLite or Redis.

The Check Point Research team discovered that the fundamental mechanisms LangGraph used to retrieve these historical agent checkpoints were fundamentally flawed in certain self-hosted configurations, paving the way for a devastating attack chain.

The severity of this disclosure does not stem from a single, isolated bug, but rather from the catastrophic chaining of multiple vulnerabilities.

When combined, these flaws allowed an attacker to manipulate backend databases and force the server to execute malicious payloads.

The initial foothold in this attack chain relies on injection flaws located in the get_state_history() function, an API endpoint responsible for retrieving past agent checkpoints.

CVE-2025-67644 (SQLite Injection): In versions utilizing the SQLite checkpointer, researchers identified an SQL injection vulnerability within the filter parameter. The framework improperly interpolated user-controlled metadata filter keys directly into SQL queries without adequate validation or escaping.
CVE-2026-27022 (Redis Query Injection): Similarly, environments relying on the Redis checkpointer suffered from a query injection flaw. User-provided filter keys and values were passed directly into RediSearch queries. Because RediSearch utilizes special syntax characters to modify query logic, attackers could manipulate the data to bypass intended access controls.

While an injection vulnerability allows an attacker to manipulate database queries or retrieve unauthorized data, the true danger emerged when this was chained with a deserialization flaw.

CVE-2026-28277 (Msgpack Deserialization RCE): When LangGraph retrieves checkpoint data from the database, it must deserialize the information to reconstruct the Python objects used by the agent.
In affected versions, the checkpointer relied on an unsafe MessagePack (msgpack) deserialization process. By leveraging the initial injection vulnerabilities, an attacker could manipulate the retrieved database records, forcing the LangGraph application to load a maliciously crafted msgpack payload. Upon deserialization, this payload triggered arbitrary remote code execution on the host server.

Achieving full remote code execution on a server hosting enterprise AI agents is not a contained, low-impact incident. Because AI agents are designed to autonomously interact with other systems.

They are often heavily over-provisioned with administrative access and API credentials. A compromised LangGraph server exposes the entire ecosystem the agent touches.

Compromised Asset	Enterprise Impact
LLM API Keys	Attackers gain direct access to the organization’s billing accounts for premium models (e.g., OpenAI, Anthropic), allowing for resource hijacking and massive financial drain.
Data & CRM Access	Agents frequently hold credentials for tools like Salesforce, Jira, or internal SQL databases. Attackers inherit these permissions, exposing customer PII, internal tickets, and financial records.
Conversation History	The server stores every prompt, response, and intermediate reasoning step the agent has ever processed, leading to the massive exposure of proprietary logic and trade secrets.
Network Foothold	A compromised self-hosted LangGraph server acts as the perfect pivot point. Attackers can use the server’s internal network access to move laterally into isolated enterprise systems.

Unlike prompt injection which typically affects only a single user’s immediate session this vulnerability chain operates at the infrastructure level.

An attacker who successfully exploits this chain can silently hijack the agent’s future behavior, manipulating the AI into performing unauthorized actions, spreading disinformation to customers, or impersonating trusted internal systems.

Remediation

The disclosure of these vulnerabilities serves as a critical wake-up call for development and security teams deploying autonomous agents.

LangChain’s managed platform (LangSmith Deployment) utilizes PostgreSQL and was not affected by this specific chain. However, teams self-hosting LangGraph must take immediate action.

The LangChain development team worked closely with Check Point to design and validate fixes for all identified issues. Organizations must immediately upgrade their dependencies to the following secure versions:

SQLite Deployments: Update to langgraph-checkpoint-sqlite version 3.0.1 or later.
Redis Deployments: Update to @langchain/langgraph-checkpoint-redis version 1.0.2 or later.
Core Framework: Update the core langgraph package to version 1.0.10 or later to resolve the unsafe deserialization flaw.

Patching the immediate CVEs is necessary, but defending against the next generation of AI infrastructure attacks requires systemic changes to how organizations deploy agentic workflows.

First, never expose AI agent infrastructure directly to untrusted networks. Self-hosted LangGraph instances ship without built-in authentication, meaning developers must place robust API gateways or reverse proxies in front of their deployments to ensure only authorized traffic reaches the get_state_history() endpoints.

Second, organizations must begin treating AI agents as highly privileged human identities. Implement the principle of least privilege for every credential an agent holds.

Avoid hardcoding long-lived static secrets into the agent’s environment, opting instead for dynamic credential brokering that restricts API key exposure.

Finally, security teams must incorporate AI red teaming into their lifecycle, rigorously testing the agentic stack for complex vulnerability chains rather than relying solely on automated dependency scanning.

As AI agents continue to transition into the role of digital enterprise workers, securing their memory and execution runtime is no longer optional it is the foundational requirement for operational trust.