CVE-2026-27022 is a medium severity injection vulnerability identified in the @langchain/langgraph-checkpoint-redis package, part of the LangGraphJS ecosystem used for Redis checkpoint and store implementations. The vulnerability stems from improper neutralization of special elements in output used by downstream components, specifically in the construction of RediSearch queries. The RedisSaver and ShallowRedisSaver classes build RediSearch queries by directly interpolating user-provided filter keys and values without adequate escaping or sanitization. RediSearch query syntax includes special characters that can modify query logic, such as logical operators and wildcards. When an attacker supplies filter inputs containing these special characters, they can manipulate the query to bypass intended access controls or retrieve unauthorized data. This flaw compromises confidentiality by allowing unauthorized data exposure but does not affect data integrity or system availability. Exploitation requires the ability to submit filter parameters, implying some level of privilege or access to the application interface. The vulnerability was assigned CVE-2026-27022 and is tracked under CWE-74 (Improper Neutralization of Special Elements in Output). It was published on February 20, 2026, and fixed in version 1.0.2 of the package. No known exploits have been reported in the wild to date.

The primary impact of this vulnerability is unauthorized data disclosure due to query manipulation in RediSearch. Organizations using vulnerable versions of @langchain/langgraph-checkpoint-redis could face confidentiality breaches where attackers bypass access controls and retrieve sensitive information stored in Redis via LangGraph. This can lead to exposure of proprietary data, user information, or intellectual property. Since the vulnerability does not affect integrity or availability, it is less likely to cause data corruption or service disruption. However, the breach of confidentiality can have serious compliance and reputational consequences, especially for organizations handling sensitive or regulated data. The requirement for some privilege to supply filters limits the attack surface but does not eliminate risk, particularly in multi-tenant or shared environments where attackers may gain limited access. The absence of known exploits suggests limited current threat activity but does not preclude future exploitation. Organizations worldwide that rely on LangGraphJS with Redis checkpointing and have not upgraded to version 1.0.2 remain at risk.

To mitigate this vulnerability, organizations should immediately upgrade the @langchain/langgraph-checkpoint-redis package to version 1.0.2 or later, where the issue is fixed by proper escaping of user inputs in RediSearch queries. Additionally, implement strict input validation and sanitization on all user-supplied filter parameters before they reach the query construction logic. Employ the principle of least privilege to restrict who can submit filter queries, minimizing the risk of malicious input. Monitor application logs for unusual query patterns or attempts to inject special RediSearch syntax characters. Consider implementing application-layer access controls and query parameter whitelisting to prevent unauthorized query manipulation. Finally, conduct security code reviews and penetration testing focused on query injection vectors in Redis and LangGraph integrations to detect similar issues proactively.