LangGraph Flaw Chain Exposes Self-Hosted AI Agents to Remote Code Execution
Summary
LangGraph, an open-source framework for building AI agent applications, has three patched security flaws that could allow attackers to execute remote code (run commands on a server they don't own) on self-hosted systems. The most critical flaw is a SQL injection vulnerability (weakness that lets attackers manipulate database queries) in the SQLite checkpoint system that can be chained with an unsafe deserialization vulnerability (flaw in how the system reconstructs data from storage) to gain complete control of affected servers.
Solution / Mitigation
Update to the following patched versions: langgraph-checkpoint-sqlite version 3.0.1 or later (fixes CVE-2025-67644), langgraph version 1.0.10 or later (fixes CVE-2026-28277), and @langchain/langgraph-checkpoint-redis version 1.0.1 or later (fixes CVE-2026-27022). Additionally, the source recommends implementing authentication for self-hosted LangGraph servers, avoiding long-lived static secrets, enforcing network segmentation, treating AI agents as privileged identities, and applying the principle of least privilege (PoLP) to limit the agent's access to only what it needs.
Classification
Affected Vendors
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://thehackernews.com/2026/06/langgraph-flaw-chain-exposes-self.html
First tracked: June 12, 2026 at 08:00 AM
Classified by LLM (prompt v3) · confidence: 95%