CVE-2026-27794: CWE-502: Deserialization of Untrusted Data in langchain-ai langgraph-checkpoint
A deserialization vulnerability (CWE-502) exists in langchain-ai's langgraph-checkpoint versions prior to 4. 0. 0. The issue arises when applications explicitly enable caching with cache backends inheriting from BaseCache and nodes opt into caching via CachePolicy. The default serializer falls back to pickle. loads for certain data, allowing remote code execution if an attacker can write malicious serialized data into the cache backend. Exploitation requires write access to the cache storage, making this a post-compromise escalation vector. The vulnerability is patched in langgraph-checkpoint version 4. 0. 0.
AI Analysis
Technical Summary
LangGraph Checkpoint prior to version 4.0.0 uses a caching mechanism that defaults to JsonPlusSerializer with a pickle fallback. If msgpack serialization fails, cached data is deserialized using pickle.loads, which can lead to remote code execution if an attacker can inject malicious serialized objects into the cache. This requires the application to have caching explicitly enabled and the attacker to have write access to the cache backend, such as a network-accessible Redis instance with weak or no authentication or a writable local cache file. Because exploitation requires prior write access, this vulnerability serves as a post-compromise escalation vector. The issue is resolved in langgraph-checkpoint 4.0.0.
Potential Impact
Successful exploitation allows an attacker with write access to the cache backend to execute arbitrary code within the context of the LangGraph process. This can lead to full compromise of the application environment. However, exploitation requires prior access to write attacker-controlled data to the cache, limiting the attack to post-compromise scenarios. Confidentiality, integrity, and availability of the affected system can be fully impacted.
Mitigation Recommendations
Upgrade langgraph-checkpoint to version 4.0.0 or later, where this vulnerability is patched. If upgrading is not immediately possible, ensure that cache backends are not enabled or that cache storage is not writable by untrusted parties. Restrict write access to cache backends such as Redis instances and local cache files to trusted users and processes only. Patch status is confirmed fixed in version 4.0.0.
CVE-2026-27794: CWE-502: Deserialization of Untrusted Data in langchain-ai langgraph-checkpoint
Description
A deserialization vulnerability (CWE-502) exists in langchain-ai's langgraph-checkpoint versions prior to 4. 0. 0. The issue arises when applications explicitly enable caching with cache backends inheriting from BaseCache and nodes opt into caching via CachePolicy. The default serializer falls back to pickle. loads for certain data, allowing remote code execution if an attacker can write malicious serialized data into the cache backend. Exploitation requires write access to the cache storage, making this a post-compromise escalation vector. The vulnerability is patched in langgraph-checkpoint version 4. 0. 0.
CVSS v3.1
Score 6.6medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
LangGraph Checkpoint prior to version 4.0.0 uses a caching mechanism that defaults to JsonPlusSerializer with a pickle fallback. If msgpack serialization fails, cached data is deserialized using pickle.loads, which can lead to remote code execution if an attacker can inject malicious serialized objects into the cache. This requires the application to have caching explicitly enabled and the attacker to have write access to the cache backend, such as a network-accessible Redis instance with weak or no authentication or a writable local cache file. Because exploitation requires prior write access, this vulnerability serves as a post-compromise escalation vector. The issue is resolved in langgraph-checkpoint 4.0.0.
Potential Impact
Successful exploitation allows an attacker with write access to the cache backend to execute arbitrary code within the context of the LangGraph process. This can lead to full compromise of the application environment. However, exploitation requires prior access to write attacker-controlled data to the cache, limiting the attack to post-compromise scenarios. Confidentiality, integrity, and availability of the affected system can be fully impacted.
Mitigation Recommendations
Upgrade langgraph-checkpoint to version 4.0.0 or later, where this vulnerability is patched. If upgrading is not immediately possible, ensure that cache backends are not enabled or that cache storage is not writable by untrusted parties. Restrict write access to cache backends such as Redis instances and local cache files to trusted users and processes only. Patch status is confirmed fixed in version 4.0.0.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-02-24T02:31:33.265Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6d86b7ef31ef0b587d30
Added to database: 2/25/2026, 9:45:42 PM
Last enriched: 5/26/2026, 8:25:50 PM
Last updated: 5/27/2026, 5:24:16 PM
Views: 188
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.