← All articles

LangGraph flaw chain exposes self-hosted AI agents to code execution

Check Point has disclosed three now-patched flaws in LangGraph, the popular LangChain framework for building AI agents, that can be chained for remote code execution on self-hosted servers. The chain combines an SQL injection (CVE-2025-67644) with an unsafe msgpack deserialization bug (CVE-2026-28277): an attacker who can reach the agent's stored-state endpoint plants a malicious checkpoint that runs code when loaded. A compromised LangGraph server exposes everything the agent can touch, including model API keys, customer data, and internal network access. It is only exploitable in self-hosted deployments using the SQLite or Redis checkpointer; LangChain's managed LangSmith platform is not affected.

Check
Identify self-hosted LangGraph deployments using the SQLite or Redis checkpointer, check whether the get_state_history endpoint is exposed without authentication, and confirm the framework version against the patched releases.
Affected
Self-hosted LangGraph servers using the SQLite or Redis checkpointer with user-controlled filter input (CVE-2025-67644, CVE-2026-28277, CVE-2026-27022). Managed LangSmith deployments are not affected.
Fix
Upgrade LangGraph to the patched versions, require authentication on self-hosted servers, avoid long-lived static secrets, segment the network, and treat AI agents as privileged identities with least-privilege access.