Description
LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). In version 1.0.9 and prior, LangGraph checkpointers can load msgpack-encoded checkpoints that reconstruct Python objects during deserialization. If an attacker can modify checkpoint data in the backing store (for example, after a database compromise or other privileged write access to the persistence layer), they can potentially supply a crafted payload that triggers unsafe object reconstruction when the checkpoint is loaded. No known patch is public.
Published: 2026-03-05
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution
Action: Assess Impact
AI Analysis

Impact

LangGraph load operations deserialize checkpoint data that is encoded with msgpack, automatically reconstructing Python objects during the process. This uncontrolled deserialization is a classic instance of unsafe object reconstruction, listed under CWE‑502. Because a crafted payload can influence the reconstruction logic, an attacker who can supply malicious data during checkpoint loading may be able to execute arbitrary code or otherwise compromise the running process.

Affected Systems

The vulnerability exists in LangChain AI’s LangGraph package version 1.0.9 and earlier. The affected component is the SQLite‑based checkpoint loader used by LangGraph, which stores checkpoints in a local SQLite database. Any deployment that relies on these older LangGraph versions and allows the checkpoint database to be written to by untrusted parties is exposed.

Risk and Exploitability

The CVSS score of 6.8 indicates moderate severity, but the EPSS score of less than 1% suggests that actual exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog, so no public exploits have been reported yet. Nevertheless, the attack requires the ability to alter the checkpoint database—either through a database compromise or privileged write access. If an adversary succeeds in modifying the stored checkpoint, they can inject a payload that triggers unsafe deserialization, potentially leading to remote code execution.

Generated by OpenCVE AI on April 16, 2026 at 12:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict file system permissions on the SQLite checkpoint database so that only trusted processes and privileged users have write access.
  • Enable monitoring and auditing of the checkpoint database to detect any unauthorized modifications promptly.
  • Apply an official LangGraph patch or upgrade to a newer version as soon as an update becomes available.

Generated by OpenCVE AI on April 16, 2026 at 12:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g48c-2wqr-h844 LangGraph checkpoint loading has unsafe msgpack deserialization
History

Tue, 21 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Langchain
Langchain langgraph
CPEs cpe:2.3:a:langchain:langgraph:*:*:*:*:*:*:*:*
Vendors & Products Langchain
Langchain langgraph

Fri, 06 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Langchain-ai
Langchain-ai langgraph
Vendors & Products Langchain-ai
Langchain-ai langgraph

Thu, 05 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). In version 1.0.9 and prior, LangGraph checkpointers can load msgpack-encoded checkpoints that reconstruct Python objects during deserialization. If an attacker can modify checkpoint data in the backing store (for example, after a database compromise or other privileged write access to the persistence layer), they can potentially supply a crafted payload that triggers unsafe object reconstruction when the checkpoint is loaded. No known patch is public.
Title LangGraph: Unsafe msgpack deserialization in LangGraph checkpoint loading
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Langchain Langgraph
Langchain-ai Langgraph
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T18:04:29.687Z

Reserved: 2026-02-26T01:52:58.734Z

Link: CVE-2026-28277

cve-icon Vulnrichment

Updated: 2026-03-06T18:04:26.192Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T20:16:15.677

Modified: 2026-04-21T15:14:55.870

Link: CVE-2026-28277

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T12:15:35Z

Weaknesses