Researchers at Check Point have disclosed a critical vulnerability chain in LangGraph, a widely adopted open-source framework for building AI agents, warning that the flaws could allow attackers to achieve remote code execution and gain control over self-hosted AI agent environments. The discovery highlights how traditional software vulnerabilities carry dramatically amplified consequences when they occur within AI agent frameworks that possess access to sensitive enterprise data, credentials and operational systems.

What Makes This Vulnerability Chain So Dangerous?

The vulnerability chain affects self-hosted deployments of LangGraph that use SQLite or Redis-based checkpointing mechanisms and expose specific application programming interfaces (APIs) to user-controlled inputs. LangGraph, developed by the creators of LangChain, has emerged as one of the most widely used frameworks for building AI agents and agentic workflows. The platform enables developers to create stateful applications capable of retaining memory, orchestrating multi-step processes and interacting with enterprise systems.

The researchers identified a vulnerability in LangGraph's checkpoint management functionality, specifically within the mechanism used to retrieve historical execution states. The issue stems from an SQL injection vulnerability that allows attackers to manipulate database queries and retrieve unauthorized checkpoint data. When combined with a separate deserialization weakness in how LangGraph processes stored checkpoint information, the flaw can be leveraged to execute malicious code on the underlying server.

Three Common Vulnerabilities and Exposures (CVEs) have been assigned to address the specific weaknesses:

• CVE-2025-67644: SQLite injection vulnerability allowing unauthorized database access
• CVE-2026-28277: MessagePack deserialization leading to remote code execution
• CVE-2026-27022: Redis injection vulnerability affecting alternative checkpoint backends

All identified vulnerabilities have been patched by the LangChain development team.

Why Should Enterprises Treat This Differently Than Other Software Bugs?

Unlike prompt injection attacks that typically affect individual AI interactions, a compromise at the agent infrastructure level could provide attackers with persistent access to the broader environment in which the AI agent operates. A successful compromise could expose a wide range of enterprise assets connected to AI agent environments, including API credentials for large language models (LLMs), historical conversation records, customer data, CRM systems, internal databases and other applications accessed by the AI agent.

The critical distinction is that AI agents increasingly function as privileged entities within enterprise environments, often holding credentials and permissions to access multiple systems on behalf of users. As a result, compromising an agent runtime can potentially provide a pathway into broader enterprise infrastructure. Researchers also highlighted the risk of attackers manipulating agent behavior after compromise, potentially influencing automated decisions, accessing sensitive information or abusing trusted workflows.

How to Protect Your Organization's AI Agent Infrastructure

• Update Immediately: Organizations running LangGraph versions earlier than 1.0.10, LangGraph-checkpoint-sqlite earlier than 3.0.1, or LangGraph-checkpoint-redis earlier than 1.0.2 have been advised to update immediately to patched versions
• Implement Authentication Controls: Place authentication controls in front of AI agent infrastructure to prevent unauthorized access to vulnerable APIs and checkpoint management systems
• Apply Least-Privilege Access: Reduce reliance on long-lived credentials and ensure AI agents operate with the minimum permissions necessary to complete their assigned tasks
• Strengthen Network Segmentation: Isolate AI agent environments from critical enterprise systems and limit lateral movement potential if a compromise occurs
• Conduct Dedicated Security Assessments: Perform AI-specific red-teaming exercises and security assessments to identify vulnerabilities unique to agentic systems

According to Check Point, the vulnerability chain does not affect LangChain's managed deployment platform, which uses PostgreSQL rather than the vulnerable checkpointing implementations. The affected scenarios are limited to self-hosted deployments that use SQLite or Redis checkpoint backends and expose the vulnerable functionality through user-accessible interfaces.

The researchers recommend that organizations treat AI agents as privileged identities and apply security controls comparable to those used for administrative accounts and critical workloads. This represents a fundamental shift in how enterprises should approach AI agent security, moving beyond traditional application security practices to account for the elevated privileges and extensive access granted to these systems.

The disclosure adds to growing industry discussions around agentic AI security, where governance, identity management, access controls and runtime protection are emerging as critical considerations for organizations deploying autonomous AI systems at scale. As AI agents become more deeply integrated into enterprise workflows, security practitioners are increasingly warning that traditional application security risks must now be evaluated through the lens of highly connected, data-rich and autonomous systems.