From SQLi to RCE – Exploiting LangGraph’s Checkpointer

Check Point Research reports three flaws in LangGraph’s persistence layer (checkpointers), impacting the SQLite checkpointer (CVE-2025-67644 and CVE-2026-28277) and the Redis checkpointer (CVE-2026-27022). In the SQLite path, a filter-related SQL injection can be chained with unsafe msgpack deserialization to reach remote code execution, since attacker-supplied checkpoint data is deserialized during state history retrieval. This matters most for teams self-hosting LangGraph and exposing get_state_history() with a user-controlled filter; LangChain’s managed LangSmith Deployment using PostgreSQL is not affected. Fixes are available in langgraph-checkpoint-sqlite 3.0.1+, langgraph 1.0.10+, and langgraph-checkpoint-redis 1.0.2+.