Critical LangGraph Vulnerability Chain Allows Unauthorized Server Control in AI Agent Frameworks
TL;DR
- Critical LangGraph vulnerabilities allow unauthorized remote code execution on self-hosted servers.
- Attackers exploit SQL injection and deserialization flaws in agent memory persistence layers.
- Multiple high-severity CVEs enable access to environment secrets, API keys, and internal files.
- Self-hosted deployments face significant risks, while managed services like LangSmith remain unaffected.
Security researchers have just pulled the curtain back on a nasty string of vulnerabilities in LangGraph, the open-source framework LangChain built for stateful, multi-agent AI. We’re talking about a classic "chaining" scenario here—SQL injection and deserialization flaws that, when stitched together, give an attacker a golden ticket to remote code execution (RCE) on self-hosted AI servers.
Given how many developers are leaning on LangGraph to power their agents, this is a big deal. Millions of downloads mean a massive footprint. If you’re running these agents, you’re essentially handing over the keys to the kingdom: LLM API keys, CRM credentials, and internal network maps could all be up for grabs if an attacker exploits the memory persistence layer.
The Anatomy of the Breach
The problem isn't just one bad line of code; it’s a systemic issue in how the framework handles agent memory and checkpoints. Researchers found that by exploiting these individual weaknesses, an attacker can move laterally to gain full control over the host server.
Here’s the breakdown of the vulnerabilities currently on the radar:
- CVE-2025-67644 (CVSS 7.3): An SQL injection bug in the SQLite checkpointing logic. Attackers can manipulate SQL queries via metadata filter keys, which—if you’re not careful—can lead to unauthorized database access.
- CVE-2026-28277 (CVSS 6.8): A deserialization issue that serves as a key ingredient in the RCE cocktail.
- CVE-2025-68664 (CVSS 9.3): A critical deserialization flaw that can spill environment secrets and API keys.
- CVE-2026-34070 (CVSS 7.5): A path traversal vulnerability in the prompt-loading subsystem. It’s exactly what it sounds like: an attacker can read files from your host system that they have no business touching.
- CVE-2026-27022: Another injection vulnerability, this time targeting Redis checkpointers.
Why Self-Hosted Deployments Are in the Crosshairs
If you’re using managed services like LangSmith, you can breathe a little easier—these specific persistence-layer issues don’t apply to you. But for the self-hosted crowd? You’re in the hot seat. Check Point Research points to the get_state_history function as the primary vector for these RCE attacks.
The danger here is structural. AI agents act as the bridge between your internal databases and the raw power of LLMs. Once an attacker compromises the server, they aren't just looking at the agent; they’re effectively bypassing the application layer entirely. They can exfiltrate proprietary data or start tossing requests to your internal APIs, masquerading as a legitimate user.
Patching the Holes
The good news is that the maintainers have already pushed out fixes. If you’re running LangGraph, it’s time to audit your environment and update your dependencies immediately.
| Component | Minimum Version |
|---|---|
langchain-core |
1.2.22 or 0.3.81 / 1.2.5 |
langgraph-checkpoint-sqlite |
3.0.1 |
For the deep-dive details, check out the official advisories for GHSA-9rwj-6rc7-p77c and GHSA-g48c-2wqr-h844.
The Bigger Picture: AI Infrastructure Security
This disclosure is a wake-up call for how we integrate AI into enterprise workflows. We’re rushing to build these stateful, memory-heavy agents, but we’re often treating the persistence layer as an afterthought. As The Hacker News noted, chaining SQL injection with deserialization is a sophisticated move that punches right through traditional security controls.
Because these agents handle complex, stateful interactions, they naturally require elevated permissions to talk to databases and external services. That’s a massive attack surface. If you’re managing self-hosted AI, your priority has to be isolation. Keep your persistence layers—whether it’s SQLite, Redis, or something else—locked down and separated from the rest of your network.
And let’s be honest: input validation is non-negotiable. Even if the data is coming from "inside" the framework, treat it as hostile. Keep a close eye on the LangChain security advisories and make sure your team is ready to pivot when a patch drops. In the current landscape, the ability to rapidly update and reconfigure your agent infrastructure is just as important as the code that makes the agent smart in the first place. Stay vigilant.
