Description
LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). In version 1.0.9 and prior, LangGraph checkpointers can load msgpack-encoded checkpoints that reconstruct Python objects during deserialization. If an attacker can modify checkpoint data in the backing store (for example, after a database compromise or other privileged write access to the persistence layer), they can potentially supply a crafted payload that triggers unsafe object reconstruction when the checkpoint is loaded. No known patch is public.
Published: 2026-03-05
Score: 6.8 Medium
EPSS: 5.2% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

LangGraph load operations deserialize checkpoint data that is encoded with msgpack, automatically reconstructing Python objects during the process. Based on the description, it is inferred that a crafted payload can influence the reconstruction logic, potentially leading to code execution or compromise of the running process, though the official documentation only states a potential for unsafe object reconstruction.

Affected Systems

The vulnerability exists in LangChain AI’s LangGraph package version 1.0.9 and earlier. The affected component is the SQLite‑based checkpoint loader used by LangGraph, which stores checkpoints in a local SQLite database. Any deployment that relies on these older LangGraph versions and allows the checkpoint database to be written to by untrusted parties is exposed.

Risk and Exploitability

The CVSS score of 6.8 indicates moderate severity, and the EPSS score of 5% suggests a moderate likelihood of exploitation. The vulnerability is not listed in CISA KEV catalog, so no public exploits have been reported yet. The likely attack vector is inferred to involve an attacker who can modify the checkpoint database, for example through database compromise or privileged write access. If an adversary succeeds in injecting a crafted payload into the stored checkpoint, the unsafe deserialization could trigger remote code execution or other compromise of the running process.

Generated by OpenCVE AI on June 24, 2026 at 12:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict file system permissions on the SQLite checkpoint database so that only trusted processes and privileged users have write access.
  • Enable monitoring and auditing of the checkpoint database to detect any unauthorized modifications promptly.
  • Apply an official LangGraph patch or upgrade to a newer version as soon as an update becomes available.

Generated by OpenCVE AI on June 24, 2026 at 12:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g48c-2wqr-h844 LangGraph checkpoint loading has unsafe msgpack deserialization
History

Tue, 21 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Langchain
Langchain langgraph
CPEs cpe:2.3:a:langchain:langgraph:*:*:*:*:*:*:*:*
Vendors & Products Langchain
Langchain langgraph

Fri, 06 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Langchain-ai
Langchain-ai langgraph
Vendors & Products Langchain-ai
Langchain-ai langgraph

Thu, 05 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). In version 1.0.9 and prior, LangGraph checkpointers can load msgpack-encoded checkpoints that reconstruct Python objects during deserialization. If an attacker can modify checkpoint data in the backing store (for example, after a database compromise or other privileged write access to the persistence layer), they can potentially supply a crafted payload that triggers unsafe object reconstruction when the checkpoint is loaded. No known patch is public.
Title LangGraph: Unsafe msgpack deserialization in LangGraph checkpoint loading
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Langchain Langgraph
Langchain-ai Langgraph
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T18:04:29.687Z

Reserved: 2026-02-26T01:52:58.734Z

Link: CVE-2026-28277

cve-icon Vulnrichment

Updated: 2026-03-06T18:04:26.192Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T20:16:15.677

Modified: 2026-06-17T10:28:25.160

Link: CVE-2026-28277

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T12:45:04Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data