CVE-2026-48775

Vulnerability

In LangGraph SQLite Checkpoint versions 4.1.0 and prior, the JsonPlusSerializer can reconstruct arbitrary Python objects from JSON checkpoint payloads during deserialization. This behavior is reachable only when an unauthorized party can modify checkpoint bytes at rest in the backing store (e.g., database, remote store, shared filesystem). The default serializer for all shipped checkpointer backends (PostgresSaver, SqliteSaver, and their async counterparts) is JsonPlusSerializer, so applications do not need to opt in to be in scope [1].

Exploitation

An attacker with write access to the checkpoint store can modify the stored checkpoint bytes. When the application loads or resumes from that checkpoint, the deserialization path reconstructs objects beyond what the application expects, potentially including malicious Python objects. No additional authentication or user interaction is required beyond the initial write access to the store [1].

Impact

Successful exploitation leads to arbitrary code execution in the LangGraph worker process during checkpoint deserialization. This escalation from "write access to the checkpoint store" to "code execution in the worker process" may expose runtime secrets or provide access to other systems the runtime can reach [1].

Mitigation

The vulnerability is fixed in version 4.1.1. The fix narrows the JSON deserialization path so that revival is restricted to default-constructor reconstruction using the args/kwargs carried in the payload. Users should update to version 4.1.1 or later. No workaround is available for affected versions. There is no evidence of exploitation in the wild, and the issue is not listed on the CISA KEV [1].