Executive Summary
In February 2026, a critical remote code execution (RCE) vulnerability, identified as CVE-2026-27794, was discovered in LangGraph's caching layer. This flaw allowed attackers with write access to the cache backend to inject malicious serialized objects, leading to arbitrary code execution upon deserialization by the LangGraph process. The vulnerability affected versions of langgraph-checkpoint prior to 4.0.0 and was particularly concerning for applications utilizing cache backends inheriting from BaseCache with nodes opted into caching via CachePolicy. (sentinelone.com)
This incident underscores the persistent risks associated with deserialization of untrusted data, especially in AI frameworks. Organizations leveraging LangGraph for AI agent orchestration must ensure they have updated to version 4.0.0 or later to mitigate this vulnerability. The event highlights the critical need for secure coding practices and regular security assessments in AI development environments.
Why This Matters Now
The CVE-2026-27794 vulnerability in LangGraph's caching layer highlights the ongoing risks of deserializing untrusted data in AI frameworks. Organizations using LangGraph must upgrade to version 4.0.0 or later to mitigate this threat and ensure the security of their AI agent orchestration systems.
Attack Path Analysis
An attacker exploited a SQL injection vulnerability in LangGraph's SQLite checkpoint implementation to manipulate SQL queries and insert malicious data. This allowed the attacker to escalate privileges by injecting a crafted msgpack payload into the checkpoint data. The malicious payload was deserialized by the application, enabling remote code execution. The attacker established command and control by executing arbitrary commands on the compromised server. Sensitive data was exfiltrated from the server to an external location. The attack resulted in unauthorized access and potential data breach.
Kill Chain Progression
Initial Compromise
Description
An attacker exploited a SQL injection vulnerability in LangGraph's SQLite checkpoint implementation to manipulate SQL queries and insert malicious data.
Related CVEs
CVE-2025-67644
CVSS 7.8A SQL injection vulnerability in LangGraph's SQLite checkpoint implementation allows attackers to manipulate SQL queries through metadata filter keys, potentially leading to remote code execution.
Affected Products:
LangChain langgraph-checkpoint-sqlite – < 3.0.1
Exploit Status:
no public exploitCVE-2026-28277
CVSS 7.2An unsafe msgpack deserialization vulnerability in LangGraph could be exploited by attackers to execute arbitrary code during checkpoint loading.
Affected Products:
LangChain langgraph – < 1.0.10
Exploit Status:
no public exploitCVE-2026-27022
CVSS 6.5A RediSearch Query Injection in @langchain/langgraph-checkpoint-redis allows attackers to bypass access controls.
Affected Products:
LangChain @langchain/langgraph-checkpoint-redis – < 1.0.1
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Process Injection
Server Software Component: Web Shell
Application Layer Protocol: Web Protocols
Impair Defenses: Disable or Modify Tools
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Asset Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
LangGraph supply-chain vulnerabilities expose AI agent developers to remote code execution, requiring enhanced egress security and zero trust segmentation for development environments.
Information Technology/IT
Self-hosted AI agent infrastructures face critical SQL injection risks, demanding multicloud visibility controls and threat detection capabilities for secure AI deployments.
Financial Services
AI-powered trading and customer service agents vulnerable to remote exploitation, necessitating encrypted traffic monitoring and compliance with PCI/NIST frameworks.
Health Care / Life Sciences
Healthcare AI applications using LangGraph framework risk HIPAA violations through data exfiltration, requiring enhanced anomaly detection and secure hybrid connectivity.
Sources
- LangGraph Flaw Chain Exposes Self-Hosted AI Agents to Remote Code Executionhttps://thehackernews.com/2026/06/langgraph-flaw-chain-exposes-self.htmlVerified
- From SQLi to RCE – Exploiting LangGraph’s Checkpointerhttps://research.checkpoint.com/2026/from-sqli-to-rce-exploiting-langgraphs-checkpointer/Verified
- CVE-2025-67644 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-67644Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-based policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix CNSF may not prevent the initial exploitation of application vulnerabilities, it could limit the attacker's ability to exploit other workloads by enforcing strict segmentation.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation could limit the attacker's ability to escalate privileges by enforcing strict access controls and segmenting workloads.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security could limit the attacker's lateral movement by enforcing strict segmentation and monitoring east-west traffic.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control could limit the attacker's ability to establish command and control by providing real-time monitoring and control over network traffic.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement could limit the attacker's ability to exfiltrate data by controlling and monitoring outbound traffic.
Aviatrix Zero Trust CNSF could limit the overall impact of the attack by reducing the blast radius through strict segmentation and access controls.
Impact at a Glance
Affected Business Functions
- AI Agent Operations
- Data Processing Pipelines
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of AI model states and sensitive processing data.
Recommended Actions
Key Takeaways & Next Steps
- • Implement input validation and parameterized queries to prevent SQL injection vulnerabilities.
- • Disable or restrict deserialization of untrusted data to mitigate remote code execution risks.
- • Apply the latest security patches to LangGraph and related components to address known vulnerabilities.
- • Monitor and restrict access to checkpoint data to prevent unauthorized modifications.
- • Conduct regular security assessments and code reviews to identify and remediate potential vulnerabilities.
