Vulnerability  ·  2026-07-07

LangGraph Task Result Cache — Weak Hash in Cache Key Generation

VulnerabilityLow impactGlobalCVE-2026-14742
LangGraph's task-result caching mechanism generates cache keys using a weak hash function, which could allow crafted inputs to collide with cached results, potentially causing stale or incorrect cached task outputs to be served.
While LangGraph is widely deployed for building stateful LLM agents, this specific flaw is low severity (CVSS 3.1) and requires local access — worth tracking given the framework's popularity but not an urgent risk on its own.
The _freeze function in libs/langgraph/langgraph/_internal/_cache.py uses a weak/non-cryptographic hash for the default_cache_key argument in the Task Result Cache, which a local attacker could potentially exploit to cause cache-key collisions.
langchain-ai langgraph, up to version 1.2.4
Upgrade to a patched LangGraph release using a stronger hash function for cache keys, or supply a custom strong-hash cache-key function.
NVD CVE-2026-14742LangGraph GitHub
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →