LangGraph RCE Chain: SQL Injection + msgpack Deserialization in Stateful Agent Checkpointer (CVE-2025-67644 + CVE-2026-28277)

Check Point Research disclosed a critical two-stage vulnerability chain in LangGraph on June 11, 2026. CVE-2025-67644 is an SQL injection in the SQLite checkpointer (langgraph-checkpoint-sqlite) that allows manipulation of agent memory stored in checkpoints. CVE-2026-28277 is an unsafe msgpack deserialization flaw that, when chained with the SQL injection, enables full remote code execution on the server hosting the LangGraph agent. A compromised agent exposes LLM API keys, conversation histories, connected enterprise data, and internal network access.

An attacker with the ability to influence agent state (e.g., through a prior prompt injection or by controlling content the agent reads) can embed a crafted SQL payload into the checkpointer. The SQLite deserialization of this payload triggers the msgpack chain, achieving RCE on the host. Redis checkpointer may also be affected.

LangGraph versions before 1.0.10 (langgraph package) and langgraph-checkpoint-sqlite versions before 3.0.1. LangGraph is the enterprise-standard stateful agent framework created by the LangChain team, widely deployed in production agentic systems.

Upgrade immediately to langgraph-checkpoint-sqlite ≥3.0.1 and langgraph ≥1.0.10. Until patched, restrict external content ingestion by agents using SQLite/Redis checkpointers, implement input sanitisation on all agent memory writes, and audit stored checkpoints for tampering indicators.