thehackernews.com web signal

Check Point: LangGraph CVEs Chain to Agent RCE

cybersecurity agents cybersecurity ai-agents supply-chain

Key insights

  • CVE-2025-67644 SQL injection chains with msgpack deserialization flaw CVE-2026-28277 to achieve remote code execution, as discovered by Check Point researcher Yarden Porat.
  • All three vulnerabilities are patched: langgraph-checkpoint-sqlite 3.0.1, langgraph 1.0.10, and @langchain/langgraph-checkpoint-redis 1.0.1 each contain the relevant fix.
  • Only self-hosted LangGraph deployments using SQLite or Redis checkpointers with user-controlled input to get_state_history() are vulnerable; LangSmith's managed platform is unaffected.

Why this matters

Self-hosted LangGraph deployments are production AI agent infrastructure, and RCE in that layer means an attacker fully controls the agent's execution environment. The vulnerability class (SQL injection chaining into unsafe deserialization) is well-understood and toolable, making automated exploitation realistic against unpatched instances now that Check Point has publicly disclosed the full chain. The clean split between managed LangSmith (unaffected) and self-hosted LangGraph (affected) gives enterprise security teams a concrete data point in evaluating security tradeoffs between managed AI platforms and self-hosted agent frameworks.

Summary

Three vulnerabilities in LangGraph, disclosed by Check Point researcher Yarden Porat, chain to remote code execution on self-hosted AI agent deployments. CVE-2025-67644 (CVSS 7.3) is a SQL injection in the SQLite checkpointer that lets attackers inject fake checkpoint rows by manipulating SQL queries through metadata filter keys. A vulnerable msgpack implementation then deserializes those rows (CVE-2026-28277, CVSS 6.8), performing object reconstruction when a checkpoint is loaded and executing arbitrary payloads. A third flaw, CVE-2026-27022 (CVSS 6.5), hits the Redis checkpointer via RediSearch query injection that can bypass access controls. Essentially: (LangChain, Check Point Research) the chain fires only on self-hosted instances where user-controlled input reaches get_state_history() using SQLite or Redis checkpointers. - Patches available: langgraph-checkpoint-sqlite 3.0.1, langgraph core 1.0.10, @langchain/langgraph-checkpoint-redis 1.0.1 - LangChain's managed LangSmith platform is not affected by any of the three flaws Unpatched self-hosted LangGraph deployments are now running against a publicly disclosed, chainable RCE path.

Potential risks and opportunities

Risks

  • Self-hosted LangGraph users running langgraph before 1.0.10 or langgraph-checkpoint-sqlite before 3.0.1 remain exposed to the RCE chain with every unpatched hour after public disclosure
  • Enterprises that deployed LangGraph agents with broad system access face potential attacker persistence if the exploit chain was used before CVE-2025-67644 and CVE-2026-28277 were publicly disclosed
  • LangChain faces security-driven churn from enterprise teams re-evaluating self-hosted LangGraph, with pressure to migrate toward managed LangSmith or competing orchestration frameworks after this RCE disclosure

Opportunities

  • AI application security scanners (Snyk, Semgrep, Socket) can ship LangGraph-specific CVE detection rules, capitalizing on enterprise demand for automated identification of vulnerable AI framework versions
  • LangChain's managed LangSmith platform gains a concrete security differentiator for enterprise sales cycles, with documented evidence that managed hosting sidesteps the self-hosted RCE chain entirely
  • Security consultancies offering AI red-teaming (Trail of Bits, NCC Group) can add LangGraph exploit chain modules to AI-specific penetration testing frameworks, capturing new demand following this disclosure

What we don't know yet

  • Whether a working proof-of-concept exploit for the CVE-2025-67644 and CVE-2026-28277 chain has been published or is circulating privately following Check Point's disclosure
  • How many production self-hosted LangGraph deployments were running vulnerable versions at time of disclosure; no install-base numbers or telemetry were cited in the research
  • Whether CVE-2026-27022 RediSearch injection can independently lead to RCE or requires the SQLite SQL injection path as a prerequisite for full exploitation

Originally reported by thehackernews.com

Read the original article →

Original headline: Check Point Discloses LangGraph CVE Chain: SQL Injection + Unsafe Deserialization Chain to Full RCE on Self-Hosted AI Agent Deployments