LangGraph's checkpointer has a 50M-download RCE chain. Check Point just exposed it.

Two CVEs in LangGraph's persistence layer chain into remote code execution.

SQL injection in SQLite checkpoint. Unsafe msgpack deserialization. Together they give an attacker full shell access on your agent server.

LangGraph runs in 50 million monthly downloads. This isn't a niche library. It's the persistence backbone for stateful agent systems everywhere.

Here's the attack chain:

An attacker sends a malicious `filter` parameter to `get_state_history()`.

The filter key escapes the JSON path in the SQL query via f-string interpolation.

A `UNION SELECT` injects a fake checkpoint row containing a crafted msgpack payload.

The payload uses `EXT_CONSTRUCTOR_SINGLE_ARG` to call `os.system()` with attacker-controlled commands.

Three CVEs total:

CVE-2025-67644: SQL injection in SQLite checkpointer
CVE-2026-28277: RCE via msgpack deserialization
CVE-2026-27022: Same injection class in Redis checkpointer

Who's at risk: self-hosted LangGraph deployments using SQLite or Redis checkpointers where `get_state_history()` accepts user-controlled `filter` input.

Who's safe: LangSmith Deployment runs PostgreSQL. Not affected.

LangChain patched all three. Update now:

langgraph-checkpoint-sqlite >= 3.0.1
langgraph >= 1.0.10
langgraph-checkpoint-redis >= 1.0.2

If you're self-hosting LangGraph with the SQLite or Redis checkpointer, audit every endpoint that exposes `get_state_history()`. The filter parameter is your attack surface.

Check Point disclosed in November 2025. Patches shipped between December 2025 and March 2026. If you haven't updated, you've been exposed for months.

SOURCE: https://research.checkpoint.com/2026/from-sqli-to-rce-exploiting-langgraphs-checkpointer/
VERIFIED: Check Point Research (primary), NVD CVE-2025-67644, LangChain GitHub Security Advisory
SIGNAL: Agent persistence layers are now first-class attack targets. Every self-hosted checkpoint store needs input validation at the filter boundary.