Description
LangGraph Checkpoint defines the base interface for LangGraph checkpointers. Prior to version 4.0.0, a Remote Code Execution vulnerability exists in LangGraph's caching layer when applications enable cache backends that inherit from `BaseCache` and opt nodes into caching via `CachePolicy`. Prior to `langgraph-checkpoint` 4.0.0, `BaseCache` defaults to `JsonPlusSerializer(pickle_fallback=True)`. When msgpack serialization fails, cached values can be deserialized via `pickle.loads(...)`. Caching is not enabled by default. Applications are affected only when the application explicitly enables a cache backend (for example by passing `cache=...` to `StateGraph.compile(...)` or otherwise configuring a `BaseCache` implementation), one or more nodes opt into caching via `CachePolicy`, and the attacker can write to the cache backend (for example a network-accessible Redis instance with weak/no auth, shared cache infrastructure reachable by other tenants/services, or a writable SQLite cache file). An attacker must be able to write attacker-controlled bytes into the cache backend such that the LangGraph process later reads and deserializes them. This typically requires write access to a networked cache (for example a network-accessible Redis instance with weak/no auth or shared cache infrastructure reachable by other tenants/services) or write access to local cache storage (for example a writable SQLite cache file via permissive file permissions or a shared writable volume). Because exploitation requires write access to the cache storage layer, this is a post-compromise / post-access escalation vector. LangGraph Checkpoint 4.0.0 patches the issue.
Published: 2026-02-25
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the serialization logic of LangGraph’s cache layer. When BaseCache falls back from msgpack to pickle for serialization, an attacker who can write arbitrary bytes to the cache can trigger deserialization via pickle.loads during a later read. This enables execution of arbitrary code in the process that owns the LangGraph instance. The failure to default to a safe serialization mechanism means that any untrusted cache entry becomes a vector for code execution.

Affected Systems

The issue affects the langgraph-checkpoint package from langchain-ai, specifically all releases older than 4.0.0. Applications must have explicitly enabled a cache backend that inherits from BaseCache and have at least one node configured to cache via CachePolicy. Caching is not enabled by default, so normal usage without cache configuration is not impacted.

Risk and Exploitability

The CVSS base score of 6.6 reflects a moderate severity, while an EPSS score of less than 1% suggests a very low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires write access to the cache backend, making it a post‑compromise or post‑access escalation vector. If an attacker controls a network‑accessible Redis instance without authentication or can modify local cache files such as SQLite, they can inject malicious payloads, leading to remote code execution on the LangGraph host.

Generated by OpenCVE AI on April 17, 2026 at 15:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade langgraph-checkpoint to version 4.0.0 or later, where the dangerous pickle fallback has been removed.
  • Configure the cache storage to deny write access from untrusted sources: enable authentication on Redis, set strict permissions on SQLite files, and isolate shared volumes to prevent cross‑tenant write capability.
  • If caching is not required for your workflow, disable the cache backend or remove CachePolicy configurations so that no data is serialized by BaseCache.
  • Monitor cache activity for unauthorized writes and set alerts for unexpected serialization attempts.

Generated by OpenCVE AI on April 17, 2026 at 15:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mhr3-j7m5-c7c9 LangGraph: BaseCache Deserialization of Untrusted Data may lead to Remote Code Execution
History

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Langchain-ai
Langchain-ai langgraph-checkpoint
Vendors & Products Langchain-ai
Langchain-ai langgraph-checkpoint

Thu, 26 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 25 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
Description LangGraph Checkpoint defines the base interface for LangGraph checkpointers. Prior to version 4.0.0, a Remote Code Execution vulnerability exists in LangGraph's caching layer when applications enable cache backends that inherit from `BaseCache` and opt nodes into caching via `CachePolicy`. Prior to `langgraph-checkpoint` 4.0.0, `BaseCache` defaults to `JsonPlusSerializer(pickle_fallback=True)`. When msgpack serialization fails, cached values can be deserialized via `pickle.loads(...)`. Caching is not enabled by default. Applications are affected only when the application explicitly enables a cache backend (for example by passing `cache=...` to `StateGraph.compile(...)` or otherwise configuring a `BaseCache` implementation), one or more nodes opt into caching via `CachePolicy`, and the attacker can write to the cache backend (for example a network-accessible Redis instance with weak/no auth, shared cache infrastructure reachable by other tenants/services, or a writable SQLite cache file). An attacker must be able to write attacker-controlled bytes into the cache backend such that the LangGraph process later reads and deserializes them. This typically requires write access to a networked cache (for example a network-accessible Redis instance with weak/no auth or shared cache infrastructure reachable by other tenants/services) or write access to local cache storage (for example a writable SQLite cache file via permissive file permissions or a shared writable volume). Because exploitation requires write access to the cache storage layer, this is a post-compromise / post-access escalation vector. LangGraph Checkpoint 4.0.0 patches the issue.
Title LangGraph: BaseCache Deserialization of Untrusted Data may lead to Remote Code Execution
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Langchain-ai Langgraph-checkpoint
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-25T21:00:24.430Z

Reserved: 2026-02-24T02:31:33.265Z

Link: CVE-2026-27794

cve-icon Vulnrichment

Updated: 2026-02-25T21:00:17.559Z

cve-icon NVD

Status : Deferred

Published: 2026-02-25T18:23:40.980

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-27794

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-25T16:53:47Z

Links: CVE-2026-27794 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:15:21Z

Weaknesses