LangGraph Memory Bugs Turn Checkpoints Into Command Paths

Key Takeaways

• Check Point disclosed three LangGraph persistence-layer vulnerabilities affecting self-hosted deployments.
• Two issues could chain into remote code execution through SQLite checkpoint handling.
• LangChain’s managed cloud deployment was reported as not affected by the vulnerable backends.
• The case shows why AI agent memory and state stores must be secured like critical infrastructure.

Summary

LangGraph vulnerabilities disclosed by Check Point show how an agent framework’s memory layer can become a server compromise path. The issue is especially relevant to stateful AI agents because checkpoints preserve reasoning history, tool state, and workflow continuity across sessions.

What We Know

On June 12, 2026, Check Point Research disclosed vulnerabilities in LangGraph’s checkpointing layer, including SQL injection in SQLite checkpoint handling and unsafe msgpack deserialization. The primary Check Point Research analysis described CVE-2025-67644 and CVE-2026-28277 as chainable into remote code execution under specific self-hosted conditions. It also described CVE-2026-27022 as a related Redis checkpointer injection issue. The Hacker News coverage reported that the issues were patched and affected teams self-hosting LangGraph where user-controlled filters could reach get_state_history(). The finding belongs in the PointGuard AI Security Incident Tracker because LangGraph is used to build stateful multi-agent applications, and persistent agent memory is increasingly part of the AI control surface. Public sources indicate a vulnerability disclosure, not confirmed widespread exploitation.

What Could Happen

The technical failure began in checkpoint retrieval, where user-controlled filters could influence database queries. In affected SQLite configurations, SQL injection could manipulate which checkpoint data was returned. The second step was unsafe deserialization of msgpack data, allowing attacker-controlled content to become code execution when processed. A related Redis issue showed that alternate persistence backends could carry similar injection classes. AI’s contribution is not that the model generated malicious code. The AI-specific issue is that agent memory stores are often treated as supporting infrastructure, even though they preserve high-value context and drive future agent behavior. When an agent framework trusts checkpoint data too broadly, stored state becomes an execution boundary. In agentic systems, memory is not passive storage. It can influence planning, tool calls, and control flow across future sessions.

Why It Matters

LangGraph is part of a broader class of AI orchestration frameworks that developers use to build assistants, copilots, and autonomous workflows. A remote code execution chain in that layer can expose API keys, environment secrets, prompts, user data, tool credentials, and application servers. Even if exploitation requires a particular self-hosted setup, the risk is meaningful because developers often deploy agent frameworks quickly and expose debugging or state APIs during experimentation. The incident also challenges governance assumptions. AI security teams cannot focus only on models and prompts. They must inventory frameworks, memory stores, serialization paths, and persistence backends. For regulated organizations, compromised agent memory could raise privacy and audit concerns if conversation history, customer records, or proprietary workflow data are stored in checkpoints.

PointGuard AI Perspective

PointGuard AI helps reduce this class of risk by giving security teams continuous visibility into AI assets, agent frameworks, and runtime behavior. The PointGuard AI Agent Control Plane is especially relevant because it validates agent actions before they execute and helps contain rogue behavior in real time. For applications that expose tools and state through agent workflows, the PointGuard AI MCP Security Gateway can enforce identity-aware controls across tool calls and resource access. PointGuard’s prior analysis of Semantic Kernel Lets a Prompt Open a Shell shows the same pattern: prompt and framework weaknesses can escalate into host-level compromise when agents are allowed to bridge natural-language intent and execution. For LangGraph-style deployments, PointGuard AI would help identify where stateful agent frameworks are running, monitor abnormal access to memory and tools, and apply policies that limit what an agent can do even if a framework component is compromised. The lesson is direct: trustworthy AI requires governing the memory and orchestration layer, not just the model endpoint.

Incident Scorecard Details

Total AISSI Score: 6.7/10

Criticality = 8.0, Agent servers, memory, secrets, and workflow state may be exposed., AISSI weighting: 25%

Propagation = 7.0, Risk is concentrated in affected self-hosted patterns but relevant across agent frameworks., AISSI weighting: 20%

Exploitability = 5.0, A chain is documented, but requires specific exposed usage conditions., AISSI weighting: 15%

Supply Chain = 8.0, LangGraph is a third-party open-source agent framework dependency., AISSI weighting: 15%

Business Impact = 5.5, Serious potential impact, with no confirmed widespread exploitation or customer damage reported., AISSI weighting: 25%

Sources

• Check Point Research: From SQLi to RCE, Exploiting LangGraph’s Checkpointer
• The Hacker News: LangGraph Flaw Chain Exposes Self-Hosted AI Agents to Remote Code Execution
• Cloud Security Alliance: LangGraph Checkpoint RCE
• PointGuard AI Security Incident Tracker
• PointGuard AI Agent Control Plane
• PointGuard AI MCP Security Gateway
• Semantic Kernel Lets a Prompt Open a Shell