Researchers at Check Point have disclosed a critical vulnerability chain in LangGraph, a widely adopted open-source framework used for building stateful AI agents, warning that the flaws could allow attackers to achieve remote code execution and gain control over self-hosted AI agent environments.
The findings highlight how traditional software vulnerabilities can have significantly greater consequences when they occur within AI agent frameworks that possess access to sensitive enterprise data, credentials and operational systems.
According to Check Point Research, the vulnerability chain affects self-hosted deployments of LangGraph that utilise SQLite or Redis-based checkpointing mechanisms and expose specific application programming interfaces (APIs) to user-controlled inputs.
Developed by the creators of LangChain, LangGraph has emerged as one of the most widely used frameworks for building AI agents and agentic workflows. The platform enables developers to create stateful applications capable of retaining memory, orchestrating multi-step processes and interacting with enterprise systems.
Vulnerability chain leads to remote code execution
The researchers identified a vulnerability in LangGraph’s checkpoint management functionality, specifically within the mechanism used to retrieve historical execution states.
The issue stems from an SQL injection vulnerability that allows attackers to manipulate database queries and retrieve unauthorised checkpoint data. When combined with a separate deserialisation weakness in how LangGraph processes stored checkpoint information, the flaw can be leveraged to execute malicious code on the underlying server.
The researchers noted that the security risk arises not from a single vulnerability but from the combination of multiple weaknesses that create a complete attack path.
Three Common Vulnerabilities and Exposures (CVEs) have been assigned:
- CVE-2025-67644 – SQLite injection vulnerability
- CVE-2026-28277 – MessagePack deserialisation leading to remote code execution
- CVE-2026-27022 – Redis injection vulnerability
All identified vulnerabilities have been patched by the LangChain development team.
Potential impact on enterprise AI deployments
The researchers warn that a successful compromise could expose a wide range of enterprise assets connected to AI agent environments.
These may include API credentials for large language models (LLMs), historical conversation records, customer data, CRM systems, internal databases and other applications accessed by the AI agent.
Unlike prompt injection attacks that typically affect individual AI interactions, a compromise at the agent infrastructure level could provide attackers with persistent access to the broader environment in which the AI agent operates.
The report notes that AI agents increasingly function as privileged entities within enterprise environments, often holding credentials and permissions to access multiple systems on behalf of users. As a result, compromising an agent runtime can potentially provide a pathway into broader enterprise infrastructure.
Researchers also highlighted the risk of attackers manipulating agent behaviour after compromise, potentially influencing automated decisions, accessing sensitive information or abusing trusted workflows.
Managed deployments not affected
According to Check Point, the vulnerability chain does not affect LangChain’s managed deployment platform, which uses PostgreSQL rather than the vulnerable checkpointing implementations.
The affected scenarios are limited to self-hosted deployments that use SQLite or Redis checkpoint backends and expose the vulnerable functionality through user-accessible interfaces.
The vulnerabilities have been addressed in the following versions:
- LangGraph-checkpoint-sqlite 3.0.1 or later
- LangGraph 1.0.10 or later
- LangGraph-checkpoint-redis 1.0.2 or later
Organisations running earlier versions have been advised to update immediately.
Broader implications for agentic AI security
Beyond the specific vulnerabilities, the research highlights a broader security challenge emerging with agentic AI systems.
As enterprises increasingly deploy AI agents capable of autonomous decision-making and interaction with business applications, traditional software vulnerabilities may carry amplified consequences due to the elevated privileges and extensive access granted to these systems.
The researchers recommend that organisations treat AI agents as privileged identities and apply security controls comparable to those used for administrative accounts and critical workloads.
Key recommendations include implementing authentication controls in front of AI agent infrastructure, applying least-privilege access principles, reducing reliance on long-lived credentials, strengthening network segmentation and conducting dedicated AI security assessments and red-teaming exercises.
The disclosure adds to growing industry discussions around agentic AI security, where governance, identity management, access controls and runtime protection are emerging as critical considerations for organisations deploying autonomous AI systems at scale.
As AI agents become more deeply integrated into enterprise workflows, security practitioners are increasingly warning that traditional application security risks must now be evaluated through the lens of highly connected, data-rich and autonomous systems.