On June 10, 2026, Check Point Research disclosed a vulnerability chain in LangGraph that transforms the AI agent persistence mechanism into a remote code execution (RCE) vector. The discovery affects self-hosted deployments using SQLite or Redis backends, allowing an attacker to escalate from a single API call to full server control. With nearly 46.5 million monthly downloads, the exposure perimeter is vast, concentrated on enterprise infrastructures managing sensitive data and LLM API keys.
This research redefines the risk profile for agentic AI. Attacks are no longer limited to session-based threats like prompt injection; instead, they represent a persistent compromise of the infrastructure hosting the agent. The very memory that makes an agent "intelligent" has become its breaking point.
- The chain combines SQL injection in
get_state_history()with msgpack deserialization to execute arbitrary code on the LangGraph server. - LangGraph records nearly 46.5 million monthly downloads, placing thousands of self-hosted enterprise environments within the attack surface.
- Three CVEs have been assigned: CVE-2025-67644 (SQLite injection), CVE-2026-28277 (msgpack deserialization/RCE), and CVE-2026-27022 (Redis injection).
- The managed LangChain platform using PostgreSQL is not vulnerable; only self-managed deployments with SQLite or Redis are at risk.
The Mechanism: When Persistence Becomes Execution
LangGraph manages AI agent states through a component known as a checkpointer—a persistence layer that saves the execution state at every step for later retrieval. While fundamental to agentic workflows, this architecture introduces a flawed trust boundary: persisted data is treated as trusted internal input rather than a potential attack vector.
The get_state_history() function, which retrieves historical agent checkpoints, contains a SQL injection vulnerability in the filter parameter. According to Check Point Research, this flaw allows an attacker to manipulate which checkpoint data the database returns. The second component is a deserialization vulnerability in the msgpack format: when LangGraph processes the returned data, an attacker-controlled payload executes as code on the server.
Neither flaw tells the full story in isolation. Together, they create a direct path from a single API call to total server compromise. The chain exploits a fundamental architectural assumption: that an AI agent's persisted state is always trustworthy.
CVEs and Patched Versions
Check Point's research resulted in three CVE identifiers. According to Express Computer, the vulnerabilities are CVE-2025-67644 for the SQL injection in the SQLite backend, CVE-2026-28277 for the msgpack deserialization leading to RCE, and CVE-2026-27022 for the injection in the Redis backend. The dossier also links NVD record CVE-2025-68664—a deserialization vulnerability in the LangChain core with a CVSS 3.1 vector of AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N and a 9.3 CRITICAL score—though it is not textually identified as the exact same flaw as the LangGraph chain.
The versions that resolve these vulnerabilities, as documented by Check Point Research, are: langgraph-checkpoint-sqlite 3.0.1 or later, langgraph 1.0.10 or later, and langgraph-checkpoint-redis 1.0.2 or later. The source specifies that LangChain cooperated through a coordinated disclosure process.
The 9.3 CRITICAL CVSS score for CVE-2025-68664, requiring no network access, no privileges, and no user interaction while impacting resources beyond the security target, indicates maximum severity for the deserialization component. Exact scores for CVE-2025-67644 and CVE-2026-28277 are not present in the extracted dossier.
Enterprise Impact: Beyond the LangGraph Server
"Full code execution on a LangGraph server is not a contained incident. These servers hold the keys to everything the agent touches." — Check Point Research
The compromise of a self-hosted LangGraph server exposes LLM API keys, full conversation histories, connected CRM systems, and corporate databases, providing a foothold for lateral movement within the network. Check Point Research explicitly emphasizes that the impact transcends the individual server: AI agents are designed to integrate with enterprise systems, and their compromise propagates through these connections.
The risk profile differs qualitatively from prompt injection. While the latter is limited to the current session and ends with the conversation, the SQL injection + deserialization chain provides persistent infrastructure access with the potential for privilege escalation within the agent's hosting environment. The source does not document any observed active exploitation in the wild.
Why It Matters
The extracted dossier does not specify detailed operational remediation measures beyond upgrading to patched versions. Check Point Research notes that self-hosted LangGraph is deployed without built-in authentication—an architectural choice that directly exposes deployments not protected by a reverse proxy or API gateway to untrusted networks. The source does not quantify the number of actually exposed environments nor provide a full timeline between discovery and patch release.
The exact nature of the compromisable data is not detailed beyond general categories (API keys, history, connected systems). The brief does not list specific post-patch monitoring controls or procedures for verifying past compromise. Furthermore, the source does not clarify whether CVE-2026-28277 and CVE-2025-68664 represent distinct flaws within the same deserialization class or duplicate assignments for the same defect.
Architectural Lesson: Memory as a Perimeter
This research shifts the focus of AI security from user inputs to state infrastructure. Agentic AI requires persistence to function; that persistence introduces new trust boundaries that traditional threat models often overlook. The combination of SQL injection—a well-established vulnerability class—with deserialization in a binary format like msgpack demonstrates how mature techniques are resurfacing with amplified effects in AI-native architectures.
The market for agentic frameworks is expanding rapidly. LangGraph, with its nearly 46.5 million monthly downloads according to Check Point, represents a significant but not unique example of this trend. The central question is whether teams deploying these frameworks evaluate persisted state as untrusted data or continue to treat it as an implicitly secure internal boundary.
The coordinated disclosure with the LangChain team suggests a mature process, but self-hosted distribution without default authentication remains an architecture that offloads the security perimeter to the operator. The next generation of agentic frameworks must invert this assumption: an agent's memory is external input, not internal data.
Information is based on the cited source and is current at the time of publication.
Sources
- https://www.darkreading.com/vulnerabilities-threats/complex-cloud-integrations-small-errors-compromises
- https://nvd.nist.gov/vuln/detail/CVE-2025-68664
- https://letsdatascience.com/news/researchers-find-critical-vulnerabilities-in-langgraph-b381bea1
- https://www.expresscomputer.in/news/check-point-finds-vulnerability-chain-in-langgraph/135892/
- https://cxotoday.com/media-coverage/when-your-ai-agents-memory-becomes-a-security-liability/
- https://nvd.nist.gov/vuln
- https://nvd.nist.gov/vuln/search
- https://nvd.nist.gov/vuln/categories
- https://nvd.nist.gov/vuln/data-feeds
- https://nvd.nist.gov/vuln/vendor-comments