Check Point Research Uncovers SQL Injection-to-RCE Chain in LangGraph AI Agent Framework
Check Point Research disclosed three vulnerabilities in LangGraph, including a SQL injection that chains with unsafe deserialization to achieve remote code execution in the popular AI agent framework.
Check Point Research has disclosed three critical vulnerabilities in LangGraph, an open-source framework for building stateful AI agents that boasts over 50 million monthly downloads. The most severe of these, CVE-2025-67644, is a SQL injection vulnerability in the SQLite checkpointer that can be chained with an unsafe msgpack deserialization flaw (CVE-2026-28277) to achieve remote code execution. A third issue, CVE-2026-27022, introduces a similar injection class in the Redis checkpointer.
The vulnerabilities reside in LangGraph's persistence layer, known as checkpointers, which store execution state for AI agents. The SQL injection occurs in the _metadata_predicate function of the SQLite checkpointer, where an attacker-controlled filter parameter can inject arbitrary SQL into the query. By using a UNION SELECT statement, an attacker can return a crafted row containing malicious serialized data in the checkpoint BLOB column.
When the framework processes the query results, it deserializes the checkpoint data using the loads_typed() function. The msgpack deserialization path (CVE-2026-28277) does not safely restrict the types of objects that can be unpacked, allowing an attacker to execute arbitrary code. This chain effectively turns a SQL injection into full remote code execution on the server hosting the LangGraph application.
The third vulnerability, CVE-2026-27022, affects the Redis checkpointer in a similar manner, though the exploitation path differs due to Redis's data model. Teams self-hosting LangGraph with either the SQLite or Redis checkpointer are at risk if the application exposes the get_state_history() function with a user-controlled filter parameter. LangChain's managed cloud service, LangSmith Deployment (formerly LangGraph Platform), uses PostgreSQL and is not vulnerable to these issues.
LangChain has released patches for all three vulnerabilities. Users should update to langgraph-checkpoint-sqlite version 3.0.1 or later, langgraph version 1.0.10 or later, and langgraph-checkpoint-redis version 1.0.2 or later. The patches address the SQL injection by properly sanitizing the query key input and restrict the msgpack deserialization to safe types.
This disclosure highlights the growing security challenges in the AI agent ecosystem. As frameworks like LangGraph become foundational to production AI systems, the attack surface expands beyond traditional web vulnerabilities. The ability to chain a SQL injection with unsafe deserialization to achieve RCE demonstrates that AI agent frameworks must be held to the same rigorous security standards as any other critical infrastructure component.