Your AI agent''s memory is an attack surface. Check Point Research proved that it is possible to go from SQL injection to remote code execution through the LangGraph checkpointer. At Tech86, we have closely tracked this class of vulnerability — it is not the first time the persistence layer of AI agents becomes a compromise vector.
The chain: from SQL injection to RCE through agent memory
LangGraph is one of the most widely used agent frameworks in the LangChain ecosystem, with 50 million monthly downloads per PyPI Stats. The checkpointer is the component that gives the agent persistent memory: it saves conversation state, context, and tool usage. It is what allows the agent to resume where it left off.
Check Point Research discovered two CVEs that form a complete exploitation chain, plus one CVE classified as defense-in-depth:
CVE-2025-67644 (CVSS 7.3 per CNA; NVD assessed 7.8): SQL injection in the SQLite checkpointer. The _metadata_predicate() function interpolates filter keys into f-strings without validation. The vector is the keys, not the values. Applications that accept untrusted filter keys in queries are vulnerable. Patch: langgraph-checkpoint-sqlite 3.0.1+.
CVE-2026-27022: same class of injection in the Redis checkpointer for the JavaScript/Node.js ecosystem (@langchain/langgraph-checkpoint-redis). Same mechanism, different backend and runtime. CVSS 6.5 (CNA). NVD has not yet published an independent assessment.
CVE-2026-28277 (CVSS 6.8 per CNA; NVD assessed 7.2): insecure msgpack deserialization during checkpoint loading. The checkpointer reconstructs Python objects from msgpack data. If an attacker can modify checkpoint data in the backing store — for example, after compromising the database via SQL injection — they can supply a payload that executes arbitrary code when the checkpoint is loaded. Patch: langgraph 1.0.10+.
The chain is linear: SQL injection → checkpoint data manipulation → msgpack deserialization → remote code execution. Each step enables the next.
The defense-in-depth debate
The GitHub advisory classifies CVE-2026-28277 as "post-exploitation / defense-in-depth" and states there is no evidence of exploitation in the wild. According to the advisory''s own classification, this is correct as an isolated severity assessment.
But the chain documented by Check Point changes the calculus. The prerequisite for insecure deserialization — write access to the checkpoint store — is achievable via SQL injection. The "defense-in-depth" classification only holds if the checkpointer is not exposed to untrusted input. If it is, the chain is complete and the real severity is significantly higher than the individual classification suggests.
At Tech86, we have seen this dynamic before: vulnerabilities classified as defense-in-depth that, in practice, form complete exploitation chains. The correct classification depends on deployment context, not just the isolated vulnerability.
The independent vector: pickle fallback
Additionally, CVE-2026-27794, discovered by Trend Micro Zero Day Initiative (ZDI), affects BaseCache in langgraph-checkpoint prior to 4.0.0, which has a fallback to pickle. Pickle is a Python serialization format that allows arbitrary code execution by definition — it is a documented property of the format.
This fallback enables direct RCE without requiring SQL injection as a prior step. It is an independent vector, separate from the SQLi-to-RCE chain, and just as critical. Any deployment with langgraph-checkpoint prior to 4.0.0 is exposed, regardless of whether the checkpointer accepts untrusted input.
Who is at risk
Teams that self-host LangGraph with SQLite or Redis checkpointers and expose get_state_history() with user-controlled filters. The LangChain managed cloud uses PostgreSQL and is not vulnerable to the documented chain, per the GitHub advisory and Check Point Research.
The risk profile is clear: if the deployment accepts untrusted filter keys, the SQLi-to-RCE chain is complete. If it uses langgraph-checkpoint prior to 4.0.0, the pickle fallback is an independent vector. Many teams fall into both scenarios simultaneously.
The mitigation that works
The primary mitigation is to enable LANGGRAPH_STRICT_MSGPACK=true in production. This switches the deserialization policy to an allowlist — only safe types are reconstructed from msgpack data. LangGraph can automatically derive the allowlist from graph schemas at compile time.
Beyond the flag, patches must be applied: langgraph-checkpoint-sqlite 3.0.1+, langgraph 1.0.10+, and langgraph-checkpoint 4.0.0+. And restrict filter keys in get_state_history() — never pass user input directly as filter keys.
The infrastructure that gives the agent memory gives the attacker persistence
What the AI supply chain ecosystem has shown repeatedly now repeats at the agent persistence layer. The infrastructure that gives the agent memory and continuity is the same one that gives the attacker persistence and execution.
At Tech86, we operate on the premise that every infrastructure layer that adds functionality to the agent also adds attack surface. Continuous monitoring, network isolation, and applied patches are not optional — they are the minimum. That is why our EDR monitors AI endpoints in real time, detecting exploitation patterns before the chain completes.