CVE-2026-27794
Remote Code Execution in LangGraph Checkpoint Cache Backend
Publication date: 2026-02-25
Last updated on: 2026-02-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| langchain-ai | langgraph-checkpoint | to 4.0.0 (exc) |
| langchain-ai | langgraph-checkpoint-postgres | to 4.0.0 (exc) |
| langchain-ai | langgraph-checkpoint-sqlite | to 4.0.0 (exc) |
| langchain-ai | langgraph | to 5.0.0 (exc) |
| langchain-ai | langgraph-prebuilt | to 5.0.0 (exc) |
| langgraph | langgraph_checkpoint | to 4.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can lead to remote code execution within the LangGraph process if exploited.
An attacker who can write malicious data to the cache backend can execute arbitrary code, potentially compromising the system running LangGraph.
Since exploitation requires write access to the cache storage, it represents a post-compromise escalation vector, allowing attackers to increase their control or persistence on the affected system.
The impact includes full compromise of confidentiality, integrity, and availability of the affected system as indicated by the CVSS metrics.
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-27794 is a remote code execution (RCE) vulnerability in LangChain's LangGraph caching layer affecting versions of the langgraph-checkpoint package prior to 4.0.0."}, {'type': 'paragraph', 'content': "The vulnerability arises because the BaseCache class defaults to using a serializer configuration that falls back to Python's pickle deserialization when msgpack serialization fails. Since pickle deserialization can execute arbitrary code if the data is malicious, this fallback creates a security risk."}, {'type': 'paragraph', 'content': 'Exploitation requires that an application explicitly enables a cache backend inheriting from BaseCache, one or more nodes opt into caching, and an attacker has write access to the cache backend (such as a network-accessible Redis instance with weak or no authentication, shared cache infrastructure, or a writable SQLite cache file).'}, {'type': 'paragraph', 'content': 'An attacker can insert malicious pickle payloads into the cache. When LangGraph later reads and deserializes this data, arbitrary code execution occurs within the LangGraph process.'}, {'type': 'paragraph', 'content': 'Because exploitation requires write access to the cache storage, this vulnerability is considered a post-compromise or post-access escalation vector.'}, {'type': 'paragraph', 'content': 'The issue is fixed in langgraph-checkpoint version 4.0.0 by disabling the pickle fallback in the serializer configuration.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your application uses langgraph-checkpoint versions prior to 4.0.0 with an enabled cache backend that inherits from BaseCache, such as RedisCache, SqliteCache, or InMemoryCache.
You should verify if any nodes in your LangGraph application opt into caching via CachePolicy and if the cache backend is writable by untrusted users or accessible over the network with weak or no authentication.
To detect potential exploitation or presence of malicious payloads, you can inspect the cache backend for suspicious or unexpected data entries that might be pickle payloads.
- For Redis cache: Use commands like `redis-cli --scan` to list keys and `redis-cli GET <key>` to inspect cached values for suspicious binary or pickle-like data.
- For SQLite cache files: Use `sqlite3 <cachefile>` to open the database and run queries like `SELECT * FROM cache_table;` to inspect cached entries.
- Check file permissions on local cache files to ensure they are not writable by unauthorized users, e.g., `ls -l <cachefile>`.
Because exploitation requires write access to the cache backend, monitoring for unauthorized write operations or unexpected changes to cache data can also help detect attempts to exploit this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade langgraph-checkpoint to version 4.0.0 or later, where the default serializer disables pickle fallback (`pickle_fallback=false`), preventing unsafe deserialization of pickle data.
If upgrading immediately is not possible, ensure that caching is disabled or that the cache backend is not writable by untrusted users or accessible over the network without strong authentication.
Restrict permissions on local cache files to prevent unauthorized write access.
For networked caches like Redis, enforce strong authentication and network access controls to prevent attackers from writing malicious payloads.
Monitor cache backend activity for suspicious writes or unexpected data that could indicate exploitation attempts.