CVE-2026-27794: CWE-502: Deserialization of Untrusted Data in langchain-ai langgraph-checkpoint
LangGraph Checkpoint defines the base interface for LangGraph checkpointers. Prior to version 4.0.0, a Remote Code Execution vulnerability exists in LangGraph's caching layer when applications enable cache backends that inherit from `BaseCache` and opt nodes into caching via `CachePolicy`. Prior to `langgraph-checkpoint` 4.0.0, `BaseCache` defaults to `JsonPlusSerializer(pickle_fallback=True)`. When msgpack serialization fails, cached values can be deserialized via `pickle.loads(...)`. Caching is not enabled by default. Applications are affected only when the application explicitly enables a cache backend (for example by passing `cache=...` to `StateGraph.compile(...)` or otherwise configuring a `BaseCache` implementation), one or more nodes opt into caching via `CachePolicy`, and the attacker can write to the cache backend (for example a network-accessible Redis instance with weak/no auth, shared cache infrastructure reachable by other tenants/services, or a writable SQLite cache file). An attacker must be able to write attacker-controlled bytes into the cache backend such that the LangGraph process later reads and deserializes them. This typically requires write access to a networked cache (for example a network-accessible Redis instance with weak/no auth or shared cache infrastructure reachable by other tenants/services) or write access to local cache storage (for example a writable SQLite cache file via permissive file permissions or a shared writable volume). Because exploitation requires write access to the cache storage layer, this is a post-compromise / post-access escalation vector. LangGraph Checkpoint 4.0.0 patches the issue.
AI Analysis
Technical Summary
CVE-2026-27794 is a deserialization of untrusted data vulnerability (CWE-502) affecting langchain-ai's langgraph-checkpoint library versions before 4.0.0. LangGraph Checkpoint provides an interface for checkpointing in LangGraph, and its caching layer uses a BaseCache class that defaults to JsonPlusSerializer with a fallback to Python's pickle deserialization when msgpack serialization fails. Because pickle can execute arbitrary code during deserialization, this fallback creates a remote code execution (RCE) risk if an attacker can inject malicious serialized data into the cache. The vulnerability manifests only when caching is explicitly enabled by the application, and nodes opt into caching via CachePolicy. Exploitation requires the attacker to write attacker-controlled bytes into the cache backend, which could be a networked cache like Redis with weak or no authentication, shared cache infrastructure accessible by multiple tenants, or a writable SQLite cache file with permissive permissions. Since the attacker must already have write access to the cache storage, this vulnerability is primarily a post-compromise escalation vector rather than an initial attack vector. The vulnerability was patched in langgraph-checkpoint version 4.0.0 by removing the unsafe pickle fallback. The CVSS v3.1 score is 6.6, indicating medium severity, with attack vector network, high attack complexity, requiring privileges, no user interaction, and impacting confidentiality, integrity, and availability. No known exploits are reported in the wild as of now.
Potential Impact
The primary impact of this vulnerability is remote code execution on systems running vulnerable versions of langgraph-checkpoint with caching enabled and writable cache backends exposed to attackers. Successful exploitation could allow attackers to execute arbitrary code with the privileges of the LangGraph process, potentially leading to full system compromise, data theft, or disruption of services. Because exploitation requires write access to the cache backend, this vulnerability is most dangerous in environments where cache storage is shared, network-accessible without strong authentication, or improperly secured. Organizations using LangGraph in multi-tenant or cloud environments with shared caching infrastructure are at higher risk. The vulnerability can be leveraged as a post-compromise escalation vector to deepen attacker footholds or pivot within networks. Although the CVSS score is medium, the impact on confidentiality, integrity, and availability is high if exploited. The lack of default caching reduces the attack surface, but explicit enabling of caching with vulnerable versions increases risk significantly.
Mitigation Recommendations
1. Upgrade langgraph-checkpoint to version 4.0.0 or later, where the unsafe pickle fallback has been removed. 2. Disable caching if it is not strictly required by the application to reduce attack surface. 3. Secure cache backends by enforcing strong authentication and network access controls, especially for Redis or other networked caches. 4. Avoid sharing cache infrastructure across tenants or services without strict isolation. 5. Restrict file system permissions on local cache files to prevent unauthorized write access. 6. Monitor cache backend access logs for unauthorized writes or suspicious activity. 7. Implement application-level input validation and integrity checks on cached data if possible. 8. Conduct regular security audits of caching configurations and infrastructure. 9. Consider container or process isolation to limit the impact of potential code execution. 10. Educate developers and DevOps teams about the risks of deserialization vulnerabilities and secure coding practices related to caching.
Affected Countries
United States, Germany, United Kingdom, Canada, France, Japan, South Korea, Australia, Netherlands, India
CVE-2026-27794: CWE-502: Deserialization of Untrusted Data in langchain-ai langgraph-checkpoint
Description
LangGraph Checkpoint defines the base interface for LangGraph checkpointers. Prior to version 4.0.0, a Remote Code Execution vulnerability exists in LangGraph's caching layer when applications enable cache backends that inherit from `BaseCache` and opt nodes into caching via `CachePolicy`. Prior to `langgraph-checkpoint` 4.0.0, `BaseCache` defaults to `JsonPlusSerializer(pickle_fallback=True)`. When msgpack serialization fails, cached values can be deserialized via `pickle.loads(...)`. Caching is not enabled by default. Applications are affected only when the application explicitly enables a cache backend (for example by passing `cache=...` to `StateGraph.compile(...)` or otherwise configuring a `BaseCache` implementation), one or more nodes opt into caching via `CachePolicy`, and the attacker can write to the cache backend (for example a network-accessible Redis instance with weak/no auth, shared cache infrastructure reachable by other tenants/services, or a writable SQLite cache file). An attacker must be able to write attacker-controlled bytes into the cache backend such that the LangGraph process later reads and deserializes them. This typically requires write access to a networked cache (for example a network-accessible Redis instance with weak/no auth or shared cache infrastructure reachable by other tenants/services) or write access to local cache storage (for example a writable SQLite cache file via permissive file permissions or a shared writable volume). Because exploitation requires write access to the cache storage layer, this is a post-compromise / post-access escalation vector. LangGraph Checkpoint 4.0.0 patches the issue.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-27794 is a deserialization of untrusted data vulnerability (CWE-502) affecting langchain-ai's langgraph-checkpoint library versions before 4.0.0. LangGraph Checkpoint provides an interface for checkpointing in LangGraph, and its caching layer uses a BaseCache class that defaults to JsonPlusSerializer with a fallback to Python's pickle deserialization when msgpack serialization fails. Because pickle can execute arbitrary code during deserialization, this fallback creates a remote code execution (RCE) risk if an attacker can inject malicious serialized data into the cache. The vulnerability manifests only when caching is explicitly enabled by the application, and nodes opt into caching via CachePolicy. Exploitation requires the attacker to write attacker-controlled bytes into the cache backend, which could be a networked cache like Redis with weak or no authentication, shared cache infrastructure accessible by multiple tenants, or a writable SQLite cache file with permissive permissions. Since the attacker must already have write access to the cache storage, this vulnerability is primarily a post-compromise escalation vector rather than an initial attack vector. The vulnerability was patched in langgraph-checkpoint version 4.0.0 by removing the unsafe pickle fallback. The CVSS v3.1 score is 6.6, indicating medium severity, with attack vector network, high attack complexity, requiring privileges, no user interaction, and impacting confidentiality, integrity, and availability. No known exploits are reported in the wild as of now.
Potential Impact
The primary impact of this vulnerability is remote code execution on systems running vulnerable versions of langgraph-checkpoint with caching enabled and writable cache backends exposed to attackers. Successful exploitation could allow attackers to execute arbitrary code with the privileges of the LangGraph process, potentially leading to full system compromise, data theft, or disruption of services. Because exploitation requires write access to the cache backend, this vulnerability is most dangerous in environments where cache storage is shared, network-accessible without strong authentication, or improperly secured. Organizations using LangGraph in multi-tenant or cloud environments with shared caching infrastructure are at higher risk. The vulnerability can be leveraged as a post-compromise escalation vector to deepen attacker footholds or pivot within networks. Although the CVSS score is medium, the impact on confidentiality, integrity, and availability is high if exploited. The lack of default caching reduces the attack surface, but explicit enabling of caching with vulnerable versions increases risk significantly.
Mitigation Recommendations
1. Upgrade langgraph-checkpoint to version 4.0.0 or later, where the unsafe pickle fallback has been removed. 2. Disable caching if it is not strictly required by the application to reduce attack surface. 3. Secure cache backends by enforcing strong authentication and network access controls, especially for Redis or other networked caches. 4. Avoid sharing cache infrastructure across tenants or services without strict isolation. 5. Restrict file system permissions on local cache files to prevent unauthorized write access. 6. Monitor cache backend access logs for unauthorized writes or suspicious activity. 7. Implement application-level input validation and integrity checks on cached data if possible. 8. Conduct regular security audits of caching configurations and infrastructure. 9. Consider container or process isolation to limit the impact of potential code execution. 10. Educate developers and DevOps teams about the risks of deserialization vulnerabilities and secure coding practices related to caching.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-02-24T02:31:33.265Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6d86b7ef31ef0b587d30
Added to database: 2/25/2026, 9:45:42 PM
Last enriched: 2/27/2026, 8:52:57 AM
Last updated: 4/12/2026, 6:29:39 AM
Views: 101
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.