CVE-2026-28277 is a vulnerability classified under CWE-502 (Deserialization of Untrusted Data) affecting the langgraph product from langchain-ai, specifically versions up to and including 1.0.9. LangGraph's SQLite CheckpointSaver implementation uses SQLite databases to persist checkpoints, which are serialized using msgpack encoding. During checkpoint loading, the system deserializes these msgpack-encoded checkpoints back into Python objects. Because Python object deserialization can execute arbitrary code if the data is maliciously crafted, this process is unsafe if the checkpoint data can be tampered with. An attacker who gains privileged write access to the underlying SQLite database or persistence layer can inject a malicious payload that, when deserialized, leads to arbitrary code execution or other malicious behavior. This vulnerability does not require user interaction but does require the attacker to have elevated privileges to modify the checkpoint data. The vulnerability has not been publicly patched as of the publication date (March 5, 2026). The CVSS 3.1 score is 6.8, indicating a medium severity with high impact on confidentiality, integrity, and availability. The attack vector is adjacent network (AV:A), requiring low attack complexity (AC:L) but high privileges (PR:H). The scope is unchanged (S:U), and no user interaction is required (UI:N). No known exploits are currently in the wild. This vulnerability is critical in environments where checkpoint data integrity cannot be guaranteed or where multiple tenants share the same persistence infrastructure.

If exploited, this vulnerability can lead to arbitrary code execution within the context of the application deserializing the checkpoint data. This compromises confidentiality by potentially exposing sensitive data stored or processed by langgraph. Integrity is compromised as attackers can manipulate checkpoint data to alter application behavior or inject malicious logic. Availability may also be affected if the injected payload disrupts normal operations or causes crashes. Since exploitation requires privileged write access to the persistence layer, the vulnerability is often a post-compromise risk, enabling attackers to escalate their foothold or maintain persistence. Organizations relying on langgraph for AI workflows or data processing may face significant operational disruption, data breaches, or lateral movement within their networks. The absence of a public patch increases the risk window, especially in environments where database security is weak or multi-tenant setups exist. The medium severity rating reflects the balance between the high impact and the prerequisite of elevated privileges for exploitation.

1. Restrict and monitor access to the SQLite checkpoint database and any persistence layers to prevent unauthorized modifications. Implement strict access controls and audit logging for all write operations. 2. Isolate checkpoint storage to trusted environments and avoid sharing persistence layers across tenants or untrusted users. 3. Employ integrity verification mechanisms such as cryptographic signatures or hashes on checkpoint data before deserialization to detect tampering. 4. Consider disabling automatic checkpoint loading or deserialization if not strictly necessary, or implement safer serialization formats that do not allow arbitrary code execution. 5. Monitor application logs and database access patterns for unusual activity indicative of tampering attempts. 6. Stay updated with langchain-ai releases and apply patches promptly once available. 7. As a temporary workaround, restrict the use of vulnerable langgraph versions to trusted environments only and avoid exposing checkpoint databases to potentially untrusted networks or users. 8. Conduct regular security assessments of the persistence infrastructure to identify and remediate privilege escalation paths that could enable exploitation.