CVE-2026-48775: CWE-502: Deserialization of Untrusted Data in langchain-ai langgraph
LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). In versions 4.1.0 and prior, the JsonPlusSerializer can reconstruct Python objects from JSON checkpoint payloads. Under conditions where someone could modify checkpoint bytes at rest in the backing store, the deserialization path could reconstruct objects beyond what the application expects, which could in turn result in code execution at checkpoint load time. This is a defense-in-depth issue. The affected behavior is reachable only when checkpoint bytes at rest in the backing store can be modified by an unauthorized party. In most deployments that prerequisite already implies a serious incident; the additional concern is turning "checkpoint-store write access" into code execution in the application runtime. This issue has been fixed in version 4.1.1.
AI Analysis
Technical Summary
The LangGraph SQLite Checkpoint implementation in langchain-ai langgraph versions up to 4.1.0 uses JsonPlusSerializer to reconstruct Python objects from JSON checkpoint payloads. If an attacker can modify checkpoint bytes stored in the backing SQLite database, the deserialization process may instantiate unexpected objects, potentially leading to code execution during checkpoint loading. This vulnerability is a defense-in-depth issue, as exploitation requires prior unauthorized write access to the checkpoint storage. The issue is addressed in version 4.1.1.
Potential Impact
Successful exploitation could lead to code execution within the application runtime when loading checkpoints, resulting in confidentiality, integrity, and availability impacts. However, exploitation requires that an attacker already has the ability to modify checkpoint data at rest, which implies a serious security breach prior to exploitation of this vulnerability.
Mitigation Recommendations
A fix is available in langchain-ai langgraph version 4.1.1. Users should upgrade to this version to remediate the vulnerability. Until upgraded, ensure that checkpoint storage is protected against unauthorized write access, as exploitation depends on the ability to modify checkpoint data at rest.
CVE-2026-48775: CWE-502: Deserialization of Untrusted Data in langchain-ai langgraph
Description
LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). In versions 4.1.0 and prior, the JsonPlusSerializer can reconstruct Python objects from JSON checkpoint payloads. Under conditions where someone could modify checkpoint bytes at rest in the backing store, the deserialization path could reconstruct objects beyond what the application expects, which could in turn result in code execution at checkpoint load time. This is a defense-in-depth issue. The affected behavior is reachable only when checkpoint bytes at rest in the backing store can be modified by an unauthorized party. In most deployments that prerequisite already implies a serious incident; the additional concern is turning "checkpoint-store write access" into code execution in the application runtime. This issue has been fixed in version 4.1.1.
CVSS v3.1
Score 6.8medium
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The LangGraph SQLite Checkpoint implementation in langchain-ai langgraph versions up to 4.1.0 uses JsonPlusSerializer to reconstruct Python objects from JSON checkpoint payloads. If an attacker can modify checkpoint bytes stored in the backing SQLite database, the deserialization process may instantiate unexpected objects, potentially leading to code execution during checkpoint loading. This vulnerability is a defense-in-depth issue, as exploitation requires prior unauthorized write access to the checkpoint storage. The issue is addressed in version 4.1.1.
Potential Impact
Successful exploitation could lead to code execution within the application runtime when loading checkpoints, resulting in confidentiality, integrity, and availability impacts. However, exploitation requires that an attacker already has the ability to modify checkpoint data at rest, which implies a serious security breach prior to exploitation of this vulnerability.
Mitigation Recommendations
A fix is available in langchain-ai langgraph version 4.1.1. Users should upgrade to this version to remediate the vulnerability. Until upgraded, ensure that checkpoint storage is protected against unauthorized write access, as exploitation depends on the ability to modify checkpoint data at rest.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-22T19:39:05.357Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a31965e0b89be688808a362
Added to database: 6/16/2026, 6:30:54 PM
Last enriched: 6/16/2026, 6:47:14 PM
Last updated: 6/17/2026, 5:09:44 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.