Check Point has disclosed three now-patched flaws in LangGraph, the popular LangChain framework for building AI agents, that can be chained for remote code execution on self-hosted servers. The chain combines an SQL injection (CVE-2025-67644) with an unsafe msgpack deserialization bug (CVE-2026-28277): an attacker who can reach the agent's stored-state endpoint plants a malicious checkpoint that runs code when loaded. A compromised LangGraph server exposes everything the agent can touch, including model API keys, customer data, and internal network access. It is only exploitable in self-hosted deployments using the SQLite or Redis checkpointer; LangChain's managed LangSmith platform is not affected.
Backfill from April 15: OX Security disclosed an architectural flaw in the official Model Context Protocol SDKs (Python, TypeScript, Java, Rust) that lets attacker-controlled JSON config trigger arbitrary OS commands via the STDIO transport. Roughly 200,000 publicly reachable MCP servers and 150 million SDK downloads inherit the issue. OX has tied 14 CVEs to the same root cause across LiteLLM (patched), Bisheng (patched), Windsurf (zero-click RCE in Cursor-style IDEs, still reported), Flowise, LangFlow, GPT Researcher, Agent Zero, and DocsGPT. Anthropic declined to patch the protocol, calling the behavior 'expected.'