Check Point chains SQL injection to RCE in LangGraph's checkpointer (CVE-2025-67644 + CVE-2026-28277)
From CTI Daily Brief — 2026-06-13 · published 2026-06-13 · view item permalink →
Check Point Research disclosed a vulnerability chain in LangGraph, the open-source stateful-agent framework published under LangChain (Check Point Research, 2026-06-11). CVE-2025-67644 is a SQL injection in the SQLite checkpointer's get_state_history() function, which interpolates user-controlled metadata filter keys directly into SQL without sanitisation. Chained with CVE-2026-28277, an unsafe msgpack deserialization in checkpoint loading, an attacker injects a crafted checkpoint row via the SQLi and triggers arbitrary Python module import and command execution when the application later loads that checkpoint — full server-side RCE (The Hacker News, 2026-06-12). A parallel SQLi in the Redis checkpointer is tracked as CVE-2026-27022. Exploitation requires a self-hosted deployment using the SQLite or Redis checkpointer that exposes get_state_history() to user-controlled filter input; PostgreSQL-backed deployments and LangChain's managed LangSmith cloud are not affected. Per Check Point, the fixes shipped in langgraph-checkpoint-sqlite 3.0.1 (CVE-2025-67644), langgraph 1.0.10 (CVE-2026-28277) and langgraph-checkpoint-redis 1.0.2 (CVE-2026-27022). Maps to T1190 and T1059.006. This is the substantive technical disclosure behind the agentic-AI attack surface that Swiss/EU public-sector AI pilots are increasingly building on. Defender action: pin the fixed versions, treat get_state_history() filter input as untrusted even in internal tooling, and never expose the state-history API unauthenticated.