PERMISSION/PROTOCOL
Back to incident tracker

2026-06-09

HighPrimary

LangGraph 3-CVE Chain: SQL Injection in SQLite Checkpointer Plus Unsafe Deserialization Leads to Full Server RCE on Self-Hosted AI Agent Systems

Check Point Research discloses 3-CVE chain in LangGraph: SQLite SQL injection (CVE-2025-67644) chains to msgpack deserialization RCE (CVE-2026-28277). 50M monthly downloads.

LangGraphTool execution / MCPSQL injection chained to unsafe deserialization (RCE)Self-hosted LangGraph instances using SQLite or Redis checkpointer with user-controlled filter on get_state_history()

What happened

An attacker sends a malicious metadata filter key to the get_state_history() endpoint, injecting SQL that causes the checkpointer to return an attacker-crafted checkpoint row containing malicious serialized data, which is then deserialized and executed by the server.

Why it matters

Full remote code execution on the agent host server for any self-hosted LangGraph deployment with the SQLite or Redis checkpointer where user-controlled input reaches get_state_history(). Attacker gains complete server access under the LangGraph process credentials.

Missing authorization check

Parameterized queries and input validation on metadata filter keys; cryptographic integrity verification of checkpoint blobs before deserialization to ensure they were produced by a trusted agent runtime.

Would PP block it?

Permission Protocol intercepts agent tool calls and requires signed authority receipts before execution. However, the LangGraph RCE exploit fires during checkpoint deserialization inside the framework's internal persistence layer — before any agent action or tool call is dispatched. A PP-signed checkpoint blob format that validates origin before deserialization could close this gap, but standard PP deployment does not protect internal framework persistence operations.

Incident analysis

Timeline and technical read

Timeline

  1. 2026-06-09

    Check Point Research publishes full disclosure of three LangGraph CVEs with proof-of-concept exploit chain from SQL injection to RCE.

  2. 2026-06-09

    LangChain releases patches: langgraph-checkpoint-sqlite 3.0.1, langgraph 1.0.10, langgraph-checkpoint-redis 1.0.2.

  3. 2026-06-10

    The Hacker News covers the vulnerability chain; security teams begin assessing self-hosted exposure.

  4. 2026-06-19

    VentureBeat reports 7,000 Langflow servers under attack and notes LangGraph and LangChain share the same injection class vulnerabilities.

  5. 2026-06-23

    NHS England Digital issues formal cyber alert CC-4761 for related LiteLLM supply chain attack, signaling regulated-sector awareness of AI framework supply chain risks.

Technical breakdown

  • CVE-2025-67644: The SQLite checkpointer's _metadata_predicate function interpolates user-provided filter keys directly into an f-string SQL template without parameterization, enabling injection of arbitrary SQL via json_extract() path manipulation.
  • CVE-2026-28277: The list() function deserializes the checkpoint BLOB column from query results using msgpack without verifying the data's origin or integrity — injection-returned rows trigger arbitrary deserialization.
  • CVE-2026-27022: The Redis checkpointer contains an equivalent injection class via the same metadata filter key interpolation pattern.
  • The full attack chain requires: (1) get_state_history() or list() reachable with user-controlled filter input, (2) self-hosted deployment on SQLite or Redis checkpointer (PostgreSQL-based deployments are unaffected).
  • LangChain's managed cloud service (LangSmith Deployment / LangGraph Platform) uses PostgreSQL and is not vulnerable to this specific chain.

Authorization boundary

Where the authorization boundary should have been

This incident is categorized as Tool execution / MCP. The relevant Permission Protocol gate is Runtime Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.

If enforced at
Checkpoint persistence layer / get_state_history() endpoint
Still needs
Internal framework persistence layer operations that execute before agent tool dispatch; checkpoint blob integrity verification at load time
Receipt required for
Any operation that deserializes checkpoint data from external or user-influenced storage; all get_state_history() calls with user-controlled filter parameters

PP enforces authorization gates on agent tool calls and mutations, but the exploit path runs below the agent logic layer — at the checkpoint persistence layer — before PP's enforcement hooks would fire. PP could add a signed checkpoint integrity check, but this is not a current PP primitive.

Related incidents and controls

High2026-06-11

CVE-2026-5027 (CVSS 8.8): Langflow Path Traversal Allowed Unauthenticated Arbitrary File Write and RCE Across 7,000 Exposed AI Agent Pipelines

Critical2026-06-08

CISA KEV: CVE-2026-42271 in LiteLLM — authenticated command injection via MCP test endpoints, chains to unauthenticated RCE (CVSS 10.0)

Critical2026-03-24

TeamPCP Backdoored LiteLLM on PyPI — 3-Stage Credential Stealer + Kubernetes Backdoor; All Env Vars, SSH Keys, Cloud Credentials Exfiltrated

Critical2026-05-07

Prompt injection in Microsoft Semantic Kernel enables remote code execution via AI model-controlled eval()

Permission Protocol Runtime Gate

Start small

Put the relevant gate at this action boundary.

This incident maps to Runtime Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.

Replay this incident with a signer in the loop