What happened
CVE-2026-14742 (CVSS 3.1 Low, published 2026-07-05) is a weak-hash weakness in LangGraph's task result caching component.
Why it matters
LangGraph is a widely-used agent-orchestration framework, but this specific bug is low severity and narrow (cache-key collision risk) rather than a direct code-execution or data-exposure path — kept as a precise catalogued CVE.
Attack vector
The _freeze function's default_cache_key argument uses a weak/non-cryptographic hash function, potentially enabling cache-key collisions or prediction in the Task Result Cache.
Affected systems
langchain-ai langgraph ≤ 1.2.4 (libs/langgraph/langgraph/_internal/_cache.py)
Mitigation
No fix version confirmed at disclosure; use a cryptographically strong hash for cache keys as a workaround.