CVE-2026-48775
Received Received - Intake
LangGraph SQLite Checkpoint Deserialization Code Execution

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: GitHub, Inc.

Description
LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). In versions 4.1.0 and prior, the JsonPlusSerializer can reconstruct Python objects from JSON checkpoint payloads. Under conditions where someone could modify checkpoint bytes at rest in the backing store, the deserialization path could reconstruct objects beyond what the application expects, which could in turn result in code execution at checkpoint load time. This is a defense-in-depth issue. The affected behavior is reachable only when checkpoint bytes at rest in the backing store can be modified by an unauthorized party. In most deployments that prerequisite already implies a serious incident; the additional concern is turning "checkpoint-store write access" into code execution in the application runtime. This issue has been fixed in version 4.1.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-48775
EUVD
EUVD-2026-37140
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
langgraph sqlite_checkpoint to 4.1.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-913 The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-48775 is an unsafe JSON deserialization vulnerability in LangGraph's checkpoint loading mechanism. The JsonPlusSerializer can reconstruct Python objects from JSON checkpoint payloads. If an unauthorized party can modify the checkpoint bytes stored in the backing store, the deserialization process might reconstruct objects beyond what the application expects. This can lead to arbitrary code execution when the checkpoint is loaded.

This vulnerability is considered a defense-in-depth issue because it requires the attacker to already have write access to the checkpoint store, which is itself a serious security incident. The vulnerability escalates this access to code execution within the LangGraph worker process.

Impact Analysis

If exploited, this vulnerability can allow an attacker who already has write access to the checkpoint store to execute arbitrary code within the LangGraph application runtime. This could lead to exposure of runtime secrets or unauthorized access to other systems accessible by the process.

Because the prerequisite for exploitation is already a serious security breach (write access to checkpoint bytes), the vulnerability primarily escalates the severity of an existing incident by enabling code execution.

Detection Guidance

This vulnerability arises when checkpoint bytes at rest in the backing store have been modified by an unauthorized party. Detection involves verifying the integrity of checkpoint files used by LangGraph SQLite Checkpoint versions 4.1.0 and prior.

Since the vulnerability is related to unsafe JSON deserialization of checkpoint payloads, you should check for any unexpected or unauthorized changes to checkpoint files.

There are no specific commands provided in the available resources to detect this vulnerability directly.

However, general integrity checks on checkpoint files can be performed using file hash verification commands such as:

  • On Linux/macOS: `sha256sum <checkpoint_file>` or `md5sum <checkpoint_file>`
  • On Windows PowerShell: `Get-FileHash <checkpoint_file> -Algorithm SHA256`

Compare the computed hashes against known good values to detect unauthorized modifications.

Mitigation Strategies

To mitigate this vulnerability, immediately upgrade LangGraph SQLite Checkpoint to version 4.1.1 or later, where the issue has been fixed.

Additionally, restrict write access to the checkpoint store to trusted users and processes only, as unauthorized write access is a prerequisite for exploitation.

Avoid using custom JSON revival hooks unless the checkpoint data is fully trusted.

Treat checkpoint stores as integrity-sensitive data and monitor them for unauthorized modifications.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48775. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart