LangGraph flaws show the risk of stored agent memory

What this is about

Check Point Research published details on June 11, 2026 about three now-patched vulnerabilities in LangGraph. The most important chain combines SQL injection in a SQLite checkpointer with unsafe deserialization and can lead to remote code execution in certain self-hosted setups.

This is not an abstract lab warning. LangGraph is used to build stateful AI agents: workflows that store steps, tool calls and intermediate results. That stored memory becomes the attack surface when an application passes user-controlled parameters into checkpoint history without proper validation.

What LangGraph checkpointers actually do

LangGraph checkpointers store an agent's state after individual steps. That lets an agent resume later, show its history or continue from previous results. In self-hosted deployments, teams can use backends such as SQLite or Redis for that persistence.

According to Check Point, the critical chain appears when an application exposes get_state_history() with a user-controlled filter. The SQLite checkpointer built parts of a query from metadata keys. An attacker could inject SQL, add a fake checkpoint row to the result and then trigger data that was handled unsafely when the checkpoint was loaded.

Check Point names three affected areas: CVE-2025-67644 for the SQLite SQL injection, CVE-2026-28277 for unsafe msgpack deserialization and CVE-2026-27022 for a similar injection class in the Redis checkpointer. The research post says patches include langgraph-checkpoint-sqlite 3.0.1+, langgraph 1.0.10+ and langgraph-checkpoint-redis 1.0.2+.

Why it matters

AI agents are not just chat windows. They often receive API keys, internal documents, ticket access, build systems or browser tools. If the persistence layer of an agent is compromised, the result can be more serious than a broken chat history.

The finding also matters because the attack does not start inside the model itself. It starts at the software edge around the model: database queries, serialization, stored state and user filters. That is where many real risks are appearing as teams move agents from prototypes into internal production.

For developers, the practical consequence is direct: apply the patches, do not connect get_state_history() directly to untrusted user filters, and treat stored agent state as sensitive server data.

In plain language

Imagine a bakery that labels every bowl of dough with a note: customer, recipe, time and next step. If someone can slip their own notes into the shelf and the bakery later follows those notes as instructions, a simple order history can become a sabotage plan.

LangGraph checkpoints are similar: they are memory notes for agents. The memory is useful, but outside input must never be confused with instructions.

A practical example

An internal support team runs a LangGraph agent for 25,000 customer tickets per month. The agent stores several checkpoints per ticket so an employee can later see why a discount was suggested or why a case was escalated.

If the application offers history search and accepts filters such as user_id or ticket_status without validation, an attacker could send a manipulated filter. In a vulnerable setup, this may not only produce a bad SQLite query, but also a crafted checkpoint row that executes code when loaded. A convenience feature for audit trails becomes an entry point into the server.

Scope and limits

First, the described chain does not automatically affect every LangGraph use. Check Point narrows the risk to self-hosted setups with SQLite or Redis checkpointers and user-controlled filters. LangChain's managed LangSmith Deployment uses PostgreSQL, and Check Point says it is not affected by this chain.

Second, the vulnerabilities are patched. The real danger is in unmaintained deployments, internal agents without a reliable update process and applications that expose debug or history endpoints too broadly.

Third, updating is not the whole architecture job. Even patched agent systems need input validation, minimal tool permissions, separated secrets and logging that makes attacks against the persistence layer visible.

SEO & GEO keywords

LangGraph, LangChain, AI agent security, Check Point Research, CVE-2025-67644, CVE-2026-28277, CVE-2026-27022, remote code execution, SQLite checkpointer, Redis checkpointer, AI workflow security