Critical Deserialization Flaw in LangChain LangGraph Allows Unauthenticated RCE
A critical remote code execution vulnerability (CVE-2026-27794) in LangChain's LangGraph BaseCache class allows unauthenticated attackers to achieve code execution via deserialization of untrusted data.
A critical remote code execution vulnerability has been disclosed in LangChain's LangGraph framework, tracked as CVE-2026-27794 and published by the Zero Day Initiative as ZDI-26-135. The flaw resides in the BaseCache class and allows unauthenticated attackers to achieve arbitrary code execution in the context of the service account by deserializing untrusted data.
The vulnerability carries a CVSS score of 8.1, reflecting high impacts on confidentiality, integrity, and availability, though the attack complexity is rated as high. No authentication is required to exploit the flaw, making it particularly dangerous for internet-facing deployments of LangGraph that expose the BaseCache functionality.
LangGraph is a popular framework for building stateful, multi-actor applications with large language models. The BaseCache class is used for caching intermediate results and agent state, and the deserialization issue means that an attacker who can supply crafted data to the cache can trigger arbitrary code execution without any prior access to the system.
The vulnerability was reported to LangChain on December 9, 2025, by researchers Peter Girnus, Demeng Chen, and Brandon Niemczyk of Trend Micro's Zero Day Initiative. LangChain has since released a fix, detailed in a GitHub security advisory at GHSA-mhr3-j7m5-c7c9c9. Users are strongly advised to update their LangGraph installations immediately.
This disclosure follows a broader trend of critical deserialization vulnerabilities in AI/ML frameworks, which have become prime targets for attackers as organizations rapidly adopt agentic AI architectures. The ability to execute code without authentication in the service account context makes this flaw especially concerning for enterprise deployments where LangGraph agents may have access to sensitive data or internal systems.
Organizations using LangGraph should prioritize patching this vulnerability and review their exposure of BaseCache endpoints. As with many deserialization flaws, the best mitigation is to apply the vendor-supplied update and ensure that caching interfaces are not exposed to untrusted networks.