Medium severity6.6NVD Advisory· Published Feb 25, 2026· Updated Apr 15, 2026
CVE-2026-27794
CVE-2026-27794
Description
LangGraph Checkpoint defines the base interface for LangGraph checkpointers. Prior to version 4.0.0, a Remote Code Execution vulnerability exists in LangGraph's caching layer when applications enable cache backends that inherit from BaseCache and opt nodes into caching via CachePolicy. Prior to langgraph-checkpoint 4.0.0, BaseCache defaults to JsonPlusSerializer(pickle_fallback=True). When msgpack serialization fails, cached values can be deserialized via pickle.loads(...). Caching is not enabled by default. Applications are affected only when the application explicitly enables a cache backend (for example by passing cache=... to StateGraph.compile(...) or otherwise configuring a BaseCache implementation), one or more nodes opt into caching via CachePolicy, and the attacker can write to the cache backend (for example a network-accessible Redis instance with weak/no auth, shared cache infrastructure reachable by other tenants/services, or a writable SQLite cache file). An attacker must be able to write attacker-controlled bytes into the cache backend such that the LangGraph process later reads and deserializes them. This typically requires write access to a networked cache (for example a network-accessible Redis instance with weak/no auth or shared cache infrastructure reachable by other tenants/services) or write access to local cache storage (for example a writable SQLite cache file via permissive file permissions or a shared writable volume). Because exploitation requires write access to the cache storage layer, this is a post-compromise / post-access escalation vector. LangGraph Checkpoint 4.0.0 patches the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
langgraph-checkpointPyPI | < 4.0.0 | 4.0.0 |
Affected products
1Patches
1f91d79d0c869fix: flip default on base cache (#6677)
11 files changed · +46 −32
libs/checkpoint/langgraph/cache/base/__init__.py+1 −1 modified@@ -15,7 +15,7 @@ class BaseCache(ABC, Generic[ValueT]): """Base class for a cache.""" - serde: SerializerProtocol = JsonPlusSerializer(pickle_fallback=True) + serde: SerializerProtocol = JsonPlusSerializer(pickle_fallback=False) def __init__(self, *, serde: SerializerProtocol | None = None) -> None: """Initialize the cache with a serializer."""
libs/checkpoint-postgres/pyproject.toml+2 −2 modified@@ -4,15 +4,15 @@ build-backend = "hatchling.build" [project] name = "langgraph-checkpoint-postgres" -version = "3.0.2" +version = "3.0.3" description = "Library with a Postgres implementation of LangGraph checkpoint saver." authors = [] requires-python = ">=3.10" readme = "README.md" license = "MIT" license-files = ['LICENSE'] dependencies = [ - "langgraph-checkpoint>=2.1.2,<4.0.0", + "langgraph-checkpoint>=2.1.2,<5.0.0", "orjson>=3.10.1", "psycopg>=3.2.0", "psycopg-pool>=3.2.0",
libs/checkpoint-postgres/uv.lock+2 −2 modified@@ -259,7 +259,7 @@ wheels = [ [[package]] name = "langgraph-checkpoint" -version = "3.0.1" +version = "4.0.0" source = { editable = "../checkpoint" } dependencies = [ { name = "langchain-core" }, @@ -306,7 +306,7 @@ test = [ [[package]] name = "langgraph-checkpoint-postgres" -version = "3.0.2" +version = "3.0.3" source = { editable = "." } dependencies = [ { name = "langgraph-checkpoint" },
libs/checkpoint/pyproject.toml+1 −1 modified@@ -4,7 +4,7 @@ build-backend = "hatchling.build" [project] name = "langgraph-checkpoint" -version = "3.0.1" +version = "4.0.0" description = "Library with base interfaces for LangGraph checkpoint savers." authors = [] requires-python = ">=3.10"
libs/checkpoint-sqlite/pyproject.toml+2 −2 modified@@ -4,15 +4,15 @@ build-backend = "hatchling.build" [project] name = "langgraph-checkpoint-sqlite" -version = "3.0.1" +version = "3.0.2" description = "Library with a SQLite implementation of LangGraph checkpoint saver." authors = [] requires-python = ">=3.10" readme = "README.md" license = "MIT" license-files = ['LICENSE'] dependencies = [ - "langgraph-checkpoint>=3,<4.0.0", + "langgraph-checkpoint>=3,<5.0.0", "aiosqlite>=0.20", "sqlite-vec>=0.1.6", ]
libs/checkpoint-sqlite/uv.lock+3 −3 modified@@ -1,5 +1,5 @@ version = 1 -revision = 2 +revision = 3 requires-python = ">=3.10" [[package]] @@ -246,7 +246,7 @@ wheels = [ [[package]] name = "langgraph-checkpoint" -version = "3.0.1" +version = "4.0.0" source = { editable = "../checkpoint" } dependencies = [ { name = "langchain-core" }, @@ -293,7 +293,7 @@ test = [ [[package]] name = "langgraph-checkpoint-sqlite" -version = "3.0.1" +version = "3.0.2" source = { editable = "." } dependencies = [ { name = "aiosqlite" },
libs/checkpoint/uv.lock+1 −1 modified@@ -286,7 +286,7 @@ wheels = [ [[package]] name = "langgraph-checkpoint" -version = "3.0.1" +version = "4.0.0" source = { editable = "." } dependencies = [ { name = "langchain-core" },
libs/langgraph/pyproject.toml+2 −2 modified@@ -4,7 +4,7 @@ build-backend = "hatchling.build" [project] name = "langgraph" -version = "1.0.5" +version = "1.0.6" description = "Building stateful, multi-actor applications with LLMs" authors = [] requires-python = ">=3.10" @@ -25,7 +25,7 @@ classifiers = [ ] dependencies = [ "langchain-core>=0.1", - "langgraph-checkpoint>=2.1.0,<4.0.0", + "langgraph-checkpoint>=2.1.0,<5.0.0", "langgraph-sdk>=0.3.0,<0.4.0", "langgraph-prebuilt>=1.0.2,<1.1.0", "xxhash>=3.5.0",
libs/langgraph/uv.lock+25 −11 modified@@ -746,6 +746,19 @@ wheels = [ { url = "https://files.pythonhosted.org/packages/19/41/0b430b01a2eb38ee887f88c1f07644a1df8e289353b78e82b37ef988fb64/grpcio-1.76.0-cp314-cp314-win_amd64.whl", hash = "sha256:922fa70ba549fce362d2e2871ab542082d66e2aaf0c19480ea453905b01f384e", size = 4834462, upload-time = "2025-10-21T16:22:39.772Z" }, ] +[[package]] +name = "grpcio-health-checking" +version = "1.76.0" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "grpcio", marker = "python_full_version >= '3.11' and python_full_version < '3.14'" }, + { name = "protobuf", marker = "python_full_version >= '3.11' and python_full_version < '3.14'" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/3e/96/5a52dcf21078b47ffa0c2ed613c3153a06f138edb6133792bace5f1ccc1d/grpcio_health_checking-1.76.0.tar.gz", hash = "sha256:b7a99d74096b3ab3a59987fc02374068e1c180a352e8d1f79f10e5a23727098d", size = 16784, upload-time = "2025-10-21T16:28:55.204Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/65/e6/746dffa51399827e38bb3f3f1ad656a3d8c1255039b256a6f76593368768/grpcio_health_checking-1.76.0-py3-none-any.whl", hash = "sha256:9743f345a855ba030cc7c381361606870b79d33bb71d7756efa47b6faa970f81", size = 18910, upload-time = "2025-10-21T16:27:26.332Z" }, +] + [[package]] name = "grpcio-tools" version = "1.75.1" @@ -1345,7 +1358,7 @@ wheels = [ [[package]] name = "langgraph" -version = "1.0.5" +version = "1.0.6" source = { editable = "." } dependencies = [ { name = "langchain-core" }, @@ -1488,12 +1501,13 @@ test = [ [[package]] name = "langgraph-api" -version = "0.5.35" +version = "0.6.32" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "cloudpickle", marker = "python_full_version >= '3.11' and python_full_version < '3.14'" }, { name = "cryptography", marker = "python_full_version >= '3.11' and python_full_version < '3.14'" }, { name = "grpcio", marker = "python_full_version >= '3.11' and python_full_version < '3.14'" }, + { name = "grpcio-health-checking", marker = "python_full_version >= '3.11' and python_full_version < '3.14'" }, { name = "grpcio-tools", marker = "python_full_version >= '3.11' and python_full_version < '3.14'" }, { name = "httpx", marker = "python_full_version >= '3.11' and python_full_version < '3.14'" }, { name = "jsonschema-rs", marker = "python_full_version >= '3.11' and python_full_version < '3.14'" }, @@ -1518,14 +1532,14 @@ dependencies = [ { name = "uvicorn", marker = "python_full_version >= '3.11' and python_full_version < '3.14'" }, { name = "watchfiles", marker = "python_full_version >= '3.11' and python_full_version < '3.14'" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/5a/27/4dd4287ec65690e3a212d7154e20504b4e88e861fd62625053be8903bc57/langgraph_api-0.5.35.tar.gz", hash = "sha256:b5687a5201ff365e1bc016042a7103ed8a2c2440f57b71f8480c223585bbfca1", size = 378029, upload-time = "2025-12-09T00:37:35.091Z" } +sdist = { url = "https://files.pythonhosted.org/packages/85/d2/f26cfc06c904535c994f751bf60cebf3d1368c3d6bdde0d2683434a49c86/langgraph_api-0.6.32.tar.gz", hash = "sha256:2ec5be13b75a88a072be8b54d8c9ba7034669be1decade70bd55ce987b1008b7", size = 436186, upload-time = "2026-01-11T22:56:22.381Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/5a/80/296db2db262a90b0fe3cb2562790025e018e33da9d171cc64f12076e5911/langgraph_api-0.5.35-py3-none-any.whl", hash = "sha256:6aaf967c52ff719861b80e4dc8066968baa185d9daae8433f0d84b5a27708a65", size = 305523, upload-time = "2025-12-09T00:37:34.001Z" }, + { url = "https://files.pythonhosted.org/packages/8b/43/848e40f1f85073b8f7a3419f485ba75cd54d5fa404058149221b92de67af/langgraph_api-0.6.32-py3-none-any.whl", hash = "sha256:79adddc25db90ef8693f2d1da16f24c239735562d1abef8c8230798eeed5fb16", size = 342693, upload-time = "2026-01-11T22:56:20.877Z" }, ] [[package]] name = "langgraph-checkpoint" -version = "3.0.1" +version = "4.0.0" source = { editable = "../checkpoint" } dependencies = [ { name = "langchain-core" }, @@ -1572,7 +1586,7 @@ test = [ [[package]] name = "langgraph-checkpoint-postgres" -version = "3.0.2" +version = "3.0.3" source = { editable = "../checkpoint-postgres" } dependencies = [ { name = "langgraph-checkpoint" }, @@ -1619,7 +1633,7 @@ test = [ [[package]] name = "langgraph-checkpoint-sqlite" -version = "3.0.1" +version = "3.0.2" source = { editable = "../checkpoint-sqlite" } dependencies = [ { name = "aiosqlite" }, @@ -1712,7 +1726,7 @@ test = [ [[package]] name = "langgraph-prebuilt" -version = "1.0.5" +version = "1.0.6" source = { editable = "../prebuilt" } dependencies = [ { name = "langchain-core" }, @@ -1763,7 +1777,7 @@ test = [ [[package]] name = "langgraph-runtime-inmem" -version = "0.19.1" +version = "0.22.0" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "blockbuster", marker = "python_full_version >= '3.11' and python_full_version < '3.14'" }, @@ -1773,9 +1787,9 @@ dependencies = [ { name = "starlette", marker = "python_full_version >= '3.11' and python_full_version < '3.14'" }, { name = "structlog", marker = "python_full_version >= '3.11' and python_full_version < '3.14'" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/f4/9e/6e7b321ef02834059983d6d5a635cc20f9987b19fe6a4666332c8b9b0ede/langgraph_runtime_inmem-0.19.1.tar.gz", hash = "sha256:573d576cf38392fcace76d772be9adc4d54b2af129ae54cb9780bab4fb55ee69", size = 98975, upload-time = "2025-12-04T07:01:40.105Z" } +sdist = { url = "https://files.pythonhosted.org/packages/fc/4e/1658cfe871c2cd02013e97663cb64e734b531b3102cebbe50523f9f839ae/langgraph_runtime_inmem-0.22.0.tar.gz", hash = "sha256:8c50ccdfe2654a8524c3729d24f83705360c03b7d6a1c362584e0546abaeb32b", size = 103368, upload-time = "2026-01-08T02:03:28.315Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/8d/32/2230e8f4bd1a61518b594aefda60a14ea0fdf50b4bb14da7962f8590fa45/langgraph_runtime_inmem-0.19.1-py3-none-any.whl", hash = "sha256:5aba07ba358a493a8f40590fad8e5342d1141a479410289ca5ae6f6b4fa6ab84", size = 35100, upload-time = "2025-12-04T07:01:38.758Z" }, + { url = "https://files.pythonhosted.org/packages/fb/f9/09de2d2e09e122a93b4145487f1a4cd5923242ed4d3e3edfcea6fd6673cd/langgraph_runtime_inmem-0.22.0-py3-none-any.whl", hash = "sha256:46994bfebadc824e3b20374ed8ae151fa6da40eed3e43dd44c2a66d0185cb8ef", size = 37473, upload-time = "2026-01-08T02:03:27.372Z" }, ] [[package]]
libs/prebuilt/pyproject.toml+2 −2 modified@@ -4,7 +4,7 @@ build-backend = "hatchling.build" [project] name = "langgraph-prebuilt" -version = "1.0.5" +version = "1.0.6" description = "Library with high-level APIs for creating and executing LangGraph agents and tools." authors = [] requires-python = ">=3.10" @@ -24,7 +24,7 @@ classifiers = [ 'Programming Language :: Python :: 3.13', ] dependencies = [ - "langgraph-checkpoint>=2.1.0,<4.0.0", + "langgraph-checkpoint>=2.1.0,<5.0.0", "langchain-core>=1.0.0", ]
libs/prebuilt/uv.lock+5 −5 modified@@ -271,7 +271,7 @@ wheels = [ [[package]] name = "langgraph" -version = "1.0.5" +version = "1.0.6" source = { editable = "../langgraph" } dependencies = [ { name = "langchain-core" }, @@ -355,7 +355,7 @@ test = [ [[package]] name = "langgraph-checkpoint" -version = "3.0.1" +version = "4.0.0" source = { editable = "../checkpoint" } dependencies = [ { name = "langchain-core" }, @@ -402,7 +402,7 @@ test = [ [[package]] name = "langgraph-checkpoint-postgres" -version = "3.0.2" +version = "3.0.3" source = { editable = "../checkpoint-postgres" } dependencies = [ { name = "langgraph-checkpoint" }, @@ -449,7 +449,7 @@ test = [ [[package]] name = "langgraph-checkpoint-sqlite" -version = "3.0.1" +version = "3.0.2" source = { editable = "../checkpoint-sqlite" } dependencies = [ { name = "aiosqlite" }, @@ -492,7 +492,7 @@ test = [ [[package]] name = "langgraph-prebuilt" -version = "1.0.5" +version = "1.0.6" source = { editable = "." } dependencies = [ { name = "langchain-core" },
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-mhr3-j7m5-c7c9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27794ghsaADVISORY
- github.com/langchain-ai/langgraph/commit/f91d79d0c86932ded6e3b9f195d5a0bbd5aef99cnvdWEB
- github.com/langchain-ai/langgraph/pull/6677nvdWEB
- github.com/langchain-ai/langgraph/releases/tag/checkpoint%3D%3D4.0.0nvdWEB
- github.com/langchain-ai/langgraph/security/advisories/GHSA-mhr3-j7m5-c7c9nvdWEB
News mentions
1- 30th March – Threat Intelligence ReportCheck Point Research · Mar 30, 2026