Something important dropped Friday and it's being underreported in the circles where most small org leaders get their AI news.
Check Point Research disclosed a three-vulnerability chain in LangGraph — the open-source AI agent framework built by the LangChain team. When chained together, these flaws give an attacker full remote code execution on your agent server. Not partial access. Not a data leak. Full control.
LangGraph has 46.5 million monthly downloads. It's in customer support bots, internal automation tools, document processing pipelines, and CRM-connected agents at companies of every size. If you (or your developer) self-hosted it to save on cloud costs, this affects you.
What Actually Happened
The researchers found three separate bugs that work in sequence:
CVE-2025-67644 — SQL injection in LangGraph's SQLite checkpoint system. The checkpoint stores the "memory" of your AI agent between conversations. The bug lets an attacker manipulate queries by messing with metadata filter keys.
CVE-2026-28277 — Unsafe deserialization in the same checkpoint layer. Once the attacker can write to the checkpoint via the SQL injection, they trigger this to reconstruct arbitrary objects when the checkpoint loads. That's the door to code execution.
CVE-2026-27022 — A query injection in the Redis checkpoint component, used when teams scale up from SQLite to Redis for higher throughput.
The entry point is the get_state_history() endpoint — something every LangGraph deployment exposes by default to let agents retrieve their conversation history.
Chain them together: inject into checkpoint storage → poison the deserialization → execute arbitrary code when the agent loads its state. The researchers at Check Point published the full technical write-up. It's not theoretical. It works.
Why This Hits Small Orgs Hard
Here's the thing about self-hosted AI agents: they have a lot of access. That's kind of the point.
If you've built an agent that can search your CRM, pull from your database, send emails, or talk to your internal APIs — and you've deployed it on your own server — everything the agent can touch, an attacker can now touch too. LLM API keys (often with high billing limits), customer records, email threads, database credentials. The compromised server also becomes a pivot point into your internal network.
Enterprise teams running LangGraph through LangSmith (the managed cloud offering) are not impacted. This only hits self-hosted deployments. Which is exactly the deployment model that small teams, nonprofits, and SMBs tend to reach for — because it's cheaper and gives you more control.
The cruel irony: the organizations who took the DIY path to avoid vendor lock-in are the ones exposed.
Is Your Setup Affected?
Ask yourself or your developer these questions:
- Do you run
langgraph serveor deploy a LangGraph server on your own infrastructure (cloud VM, on-prem, DigitalOcean droplet, etc.)? - Are you using the SQLite checkpoint (
SqliteSaver) or Redis checkpoint (RedisSaver) to store agent memory? - Is any part of your agent's input — user messages, form submissions, API parameters — flowing into the checkpoint without sanitization?
If yes to the first two, you are in scope. If yes to all three, you should assume this is actively exploitable on your setup.
What to Do Right Now
The patches are out. This is the boring but critical part:
- Update
langgraphto 1.0.10 or later - Update
langgraph-checkpoint-sqliteto 3.0.1 or later - Update
langgraph-checkpoint-redisto 1.0.2 or later
Run pip install --upgrade langgraph langgraph-checkpoint-sqlite langgraph-checkpoint-redis and redeploy. If you're running containerized, rebuild and push the updated image.
After patching, do a quick review of what your agent server is actually exposed to. Is the get_state_history() endpoint publicly reachable? It shouldn't be. Lock it behind authentication if it isn't already. If you don't know, treat it as exposed until you verify otherwise.
The Bigger Picture
This is the second major RCE in an agentic framework in the last two months. CrewAI had a prompt injection chain in April. PraisonAI shipped with authentication disabled by default in May. LangGraph is now June.
There's a pattern here. These frameworks were built by teams moving fast to capture market position. Security wasn't the first priority — it rarely is in a nascent ecosystem racing to define itself. The codebases are maturing in public, under pressure, while production systems pile up on top of them.
This is not an argument against using open-source agentic frameworks. They're still the right move for most small teams — more flexible, cheaper, not vendor-locked. But you need to treat them like infrastructure, not like an npm install you forget about.
That means version-pinning, monitoring for CVEs, and having someone actually responsible for keeping the agent stack updated. Not "we'll get to it" but a named person with a scheduled task.
If you've deployed an AI agent in the last 12 months and nobody on your team is watching the security feeds for the frameworks you're running on, that's a gap worth closing before the next one drops.
We run agent security reviews as a standalone sprint — looking at your deployment stack, access scopes, checkpoint exposure, and dependency hygiene. If you want a second set of eyes on what you've built, we're easy to reach.