CVE-2026-27022 is a security vulnerability classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) affecting the @langchain/langgraph-checkpoint-redis package, part of the LangGraph framework. The vulnerability stems from the way RedisSaver and ShallowRedisSaver classes build RediSearch queries by directly embedding user-provided filter keys and values without escaping or sanitizing special characters. RediSearch supports a rich query syntax where certain characters have special meanings that can alter the behavior of queries. An attacker can craft malicious input containing these special characters to manipulate the query logic, potentially bypassing access controls or filtering mechanisms intended to restrict data access. This injection flaw does not require user interaction but does require the attacker to have some level of privileges (PR:L) to supply filter parameters. The vulnerability affects all versions of the package prior to 1.0.2, where the issue has been fixed by implementing proper escaping or sanitization of user inputs before query construction. The CVSS 3.1 score of 6.5 reflects a medium severity with high confidentiality impact but no impact on integrity or availability. No known exploits have been reported in the wild as of the publication date, but the vulnerability presents a significant risk to applications relying on LangGraph with Redis checkpointing, especially those exposing filter parameters to untrusted users or external inputs.

The primary impact of this vulnerability is the potential unauthorized disclosure of sensitive data due to bypassed access controls in RediSearch queries. Attackers exploiting this flaw can manipulate query filters to retrieve data they should not have access to, compromising confidentiality. Since the vulnerability does not affect data integrity or availability, the risk is focused on information leakage. Organizations using LangGraph with Redis checkpointing in environments where user input controls filters are at risk. This can affect applications in AI, data analytics, or any service leveraging LangGraph for knowledge graph management. The ease of exploitation is moderate since it requires some privileges to supply filter parameters but no user interaction or complex conditions. The scope includes any deployment of the vulnerable package versions, which may be widespread given LangChain's popularity in AI and data processing communities. If exploited, attackers could gain unauthorized insights into sensitive datasets, potentially leading to further attacks or compliance violations.

Organizations should immediately upgrade the @langchain/langgraph-checkpoint-redis package to version 1.0.2 or later where the vulnerability is patched. In addition to upgrading, developers should implement strict input validation and sanitization on all user-supplied filter keys and values before they are used in query construction. Employing allowlists for acceptable filter keys and escaping or encoding special characters in filter values can prevent injection. Monitoring and logging query parameters for unusual patterns may help detect exploitation attempts. Where possible, restrict access to filter parameters to trusted users or internal systems only. Conduct code reviews and security testing focusing on injection vectors in query-building logic. Finally, consider isolating Redis instances and enforcing least privilege access controls to limit the blast radius of any potential exploitation.