CVE-2026-28277
Deserialization Vulnerability in LangGraph SQLite Checkpoint Allows Code Execution
Publication date: 2026-03-05
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| langchain | langgraph | to 1.0.9 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-28277 is a moderate severity vulnerability in the LangGraph package (version 1.0.9 and prior) related to unsafe deserialization of msgpack-encoded checkpoints during checkpoint loading.
LangGraph checkpointers load checkpoints stored in persistent storage (like databases or remote stores) by deserializing Python objects from msgpack data. If an attacker can modify the checkpoint dataβsuch as by compromising the database or gaining privileged write accessβthey can inject crafted payloads that trigger unsafe object reconstruction when the checkpoint is loaded.
This unsafe deserialization can lead to arbitrary code execution within the application runtime, escalating from write access to the checkpoint store to full code execution, potentially exposing sensitive runtime secrets like environment variables or cloud credentials.
The vulnerability requires attacker-controlled checkpoint bytes at rest and is generally not exploitable by unauthenticated remote attackers in properly configured environments. No public patch or evidence of exploitation in the wild is known.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker with privileged write access to the checkpoint storage to execute arbitrary code within the application runtime.
This can lead to a full compromise of the application, including exposure of sensitive runtime secrets such as environment variables and cloud credentials.
The impact includes high confidentiality, integrity, and availability risks, potentially allowing attackers to manipulate or disrupt application behavior.
However, exploitation requires prior access to modify checkpoint data, so the vulnerability is a post-exploitation, defense-in-depth issue.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves unsafe deserialization of msgpack-encoded checkpoints in LangGraph versions 1.0.9 and prior. Detection primarily involves verifying if your system is using a vulnerable version of LangGraph and if checkpoint data stores have been modified or compromised.'}, {'type': 'paragraph', 'content': 'Since the vulnerability requires privileged write access to checkpoint storage, monitoring for unauthorized changes to checkpoint databases or files is critical.'}, {'type': 'paragraph', 'content': 'Suggested detection steps include:'}, {'type': 'list_item', 'content': 'Check the installed LangGraph package version to confirm if it is 1.0.9 or earlier.'}, {'type': 'list_item', 'content': 'Audit checkpoint storage locations (databases, filesystems) for unexpected modifications or suspicious files.'}, {'type': 'list_item', 'content': 'Monitor logs and access controls for unusual write activity to checkpoint persistence layers.'}, {'type': 'paragraph', 'content': 'Example commands to check LangGraph version and inspect checkpoint files might include:'}, {'type': 'list_item', 'content': 'Check LangGraph version: `pip show langgraph` or `pip list | grep langgraph`'}, {'type': 'list_item', 'content': 'List checkpoint files and their modification times: `ls -l /path/to/checkpoints`'}, {'type': 'list_item', 'content': "Check database integrity or recent changes depending on the database used (e.g., SQLite commands like `sqlite3 checkpoint.db 'PRAGMA integrity_check;'` and querying modification timestamps)."}, {'type': 'paragraph', 'content': 'Note that no specific detection commands are provided in the available resources, so these suggestions are based on general best practices for detecting unauthorized modifications to checkpoint data.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps for CVE-2026-28277 focus on preventing unsafe deserialization of msgpack-encoded checkpoints and protecting checkpoint storage integrity.
- Enable strict msgpack deserialization mode by setting the environment variable LANGGRAPH_STRICT_MSGPACK to a truthy value such as 1, true, or yes. This switches deserialization to an allowlist-based approach that only permits safe built-in types.
- Restrict write access to checkpoint stores to trusted users and services only, treating checkpoint storage as integrity-sensitive.
- Rotate credentials and secrets associated with checkpoint storage if there is any suspicion of compromise.
- Avoid using custom msgpack deserialization hooks that reconstruct arbitrary types unless checkpoint data is fully trusted.
These mitigations reduce the risk of arbitrary code execution by limiting the types that can be deserialized and by protecting the checkpoint data from unauthorized modification.