From SQLi to RCE – Exploiting LangGraph’s Checkpointer
Check Point Research discovered critical vulnerabilities in LangGraph's SQLite and Redis checkpointers that allow attackers to chain SQL injection with unsafe msgpack deserialization to achieve Remote Code Execution (RCE). The flaws occur when user-controlled input is passed to the getstatehistory() filter, enabling attackers to inject malicious serialized payloads that execute arbitrary OS commands upon deserialization.
Detection / HunterGoogle
What Happened
Security researchers found severe flaws in LangGraph, a popular framework used to build AI agents. If a company hosts LangGraph themselves and allows users to filter chat or agent history, an attacker can manipulate the database to run malicious code on the server. This could allow the attacker to take full control of the system hosting the AI. Organizations using LangGraph should immediately update their software to the latest patched versions.
Key Takeaways
- LangGraph's SQLite and Redis checkpointers are vulnerable to SQL injection when user-controlled filters are passed to the get_state_history() function.
- The SQL injection (CVE-2025-67644) can be chained with an unsafe msgpack deserialization flaw (CVE-2026-28277) to achieve Remote Code Execution (RCE).
- A similar SQL injection vulnerability exists in the Redis checkpointer (CVE-2026-27022).
- LangChain's managed cloud service (LangSmith Deployment) uses PostgreSQL and is not vulnerable to this specific attack chain.
- Patches are available; users must update langgraph-checkpoint-sqlite, langgraph, langgraph-checkpoint-redis, and langgraph-checkpoint.
Affected Systems
- LangGraph self-hosted instances using SQLite checkpointer (< 3.0.1)
- LangGraph self-hosted instances using Redis checkpointer (< 1.0.2)
- LangGraph (< 1.0.10)
- langgraph-checkpoint (< 4.0.1)
Vulnerabilities (CVEs)
- CVE-2025-67644
- CVE-2026-28277
- CVE-2026-27022
Attack Chain
The attacker sends a crafted filter parameter to the get_state_history() function, exploiting a SQL injection vulnerability in the SQLite or Redis checkpointer. Using a UNION SELECT statement, the attacker injects a fake checkpoint record containing a malicious msgpack payload. When the application retrieves and deserializes this fake checkpoint, the custom msgpack extension hook (_msgpack_ext_hook) processes the payload. This allows the attacker to import arbitrary Python modules, such as os, and execute system commands, resulting in Remote Code Execution.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules, but details the vulnerable code paths and SQL injection mechanisms for behavioral hunting.
Detection Engineering Assessment
EDR Visibility: High — EDR solutions will easily detect the Python process spawning unexpected child processes (like sh or cmd) to execute system commands post-exploitation. Network Visibility: Low — The attack payload is embedded within application-layer requests to the LangGraph API, making it difficult to inspect without SSL decryption and deep application logic understanding. Detection Difficulty: Moderate — While the initial SQL injection might blend in with normal application traffic if not explicitly monitored, the resulting RCE (Python spawning shells) is a classic, highly detectable behavioral anomaly.
Required Log Sources
- Application Logs
- Process Creation Logs
- Database Query Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for the Python process hosting LangGraph spawning unexpected shell processes (e.g., sh, bash, cmd.exe), which indicates potential RCE via deserialization. | Process Creation Logs | Execution | Low |
| Evaluate whether database query logs show UNION SELECT statements interacting with the checkpoints table, specifically injecting msgpack types. | Database Query Logs | Initial Access | Low |
Control Gaps
- Lack of input validation on API endpoints
- Insufficiently restricted deserialization routines
Key Behavioral Indicators
- Python process spawning shell commands
- SQL queries containing unexpected UNION SELECT statements targeting the checkpoints table
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Update langgraph-checkpoint-sqlite to version 3.0.1 or higher.
- Update langgraph to version 1.0.10 or higher.
- Update langgraph-checkpoint-redis to version 1.0.2 or higher.
- Update langgraph-checkpoint to version 4.0.1 or higher.
Infrastructure Hardening
- Evaluate whether application inputs passed to database queries can be strictly parameterized to prevent SQL injection.
- Consider running the LangGraph application with the least privilege necessary, restricting its ability to execute arbitrary OS commands.
User Protection
- N/A
Security Awareness
- Educate development teams on the risks of unsafe deserialization, particularly when using formats like msgpack or pickle with custom extension hooks.
- Reinforce the importance of using parameterized queries or ORMs securely to prevent SQL injection vulnerabilities.
MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1059.004 - Command and Scripting Interpreter: Unix Shell
- T1059.006 - Command and Scripting Interpreter: Python
- T1505 - Server Software Component
