VYPR
Medium severity6.5NVD Advisory· Published Feb 20, 2026· Updated Apr 15, 2026

CVE-2026-27022

CVE-2026-27022

Description

@langchain/langgraph-checkpoint-redis is the Redis checkpoint and store implementation for LangGraph. A query injection vulnerability exists in the @langchain/langgraph-checkpoint-redis package's filter handling. The RedisSaver and ShallowRedisSaver classes construct RediSearch queries by directly interpolating user-provided filter keys and values without proper escaping. RediSearch has special syntax characters that can modify query behavior, and when user-controlled data contains these characters, the query logic can be manipulated to bypass intended access controls. This vulnerability is fixed in 1.0.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@langchain/langgraph-checkpoint-redisnpm
< 1.0.21.0.2

Affected products

2

Patches

Vulnerability mechanics

References

6

News mentions

4