Description
LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). In versions 4.1.0 and prior, the JsonPlusSerializer can reconstruct Python objects from JSON checkpoint payloads. Under conditions where someone could modify checkpoint bytes at rest in the backing store, the deserialization path could reconstruct objects beyond what the application expects, which could in turn result in code execution at checkpoint load time. This is a defense-in-depth issue. The affected behavior is reachable only when checkpoint bytes at rest in the backing store can be modified by an unauthorized party. In most deployments that prerequisite already implies a serious incident; the additional concern is turning "checkpoint-store write access" into code execution in the application runtime. This issue has been fixed in version 4.1.1.
Published: 2026-06-16
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

LangGraph SQLite Checkpoint implements a checkpoint saver that uses a JSON‑based serializer capable of reconstructing Python objects. In versions 4.1.0 and earlier, the JsonPlusSerializer used during checkpoint loading accepts arbitrary JSON payloads and can instantiate objects beyond the intended set. If an attacker is able to alter the JSON bytes stored in the backing SQLite database, deserialization can rebuild these objects, potentially leading to execution of arbitrary code at load time. This flaw manifests as a classic unsafe deserialization vulnerability (CWE-502) compounded by unauthorized modification of checkpoint data (CWE-913).

Affected Systems

Vendors affected include langchain‑ai with the langgraph and langraph‑checkpoint libraries. All releases up to and including version 4.1.0 are vulnerable; the issue is fixed in 4.1.1. Applications that rely on LangGraph SQLite Checkpoint for state persistence should assess whether they are using one of the compromised versions.

Risk and Exploitability

The CVSS score of 6.8 indicates a medium‑to‑high severity, but the EPSS score of less than 1% suggests that the likelihood of exploitation is very low in the general population. The flaw is not catalogued in CISA’s KEV list, implying no confirmed exploit activity. However, the vulnerability can only be leveraged if an attacker has the ability to modify checkpoint data at rest, a condition that usually denotes a serious breach or privileged access. Once this precondition is met, the deserialization path can be invoked to execute code within the application process.

Generated by OpenCVE AI on June 17, 2026 at 21:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the langgraph and langraph‑checkpoint packages to version 4.1.1 or later to incorporate the fixed serializer.
  • Review and restrict write access controls on the SQLite checkpoint database so that only authorized processes can modify checkpoint data.
  • Validate that all checkpoint payloads are signed or checksummed before deserialization to detect tampering.

Generated by OpenCVE AI on June 17, 2026 at 21:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 16 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 16 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Langchain-ai
Langchain-ai langgraph
Langchain-ai langgraph-checkpoint
Vendors & Products Langchain-ai
Langchain-ai langgraph
Langchain-ai langgraph-checkpoint

Tue, 16 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Description LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). In versions 4.1.0 and prior, the JsonPlusSerializer can reconstruct Python objects from JSON checkpoint payloads. Under conditions where someone could modify checkpoint bytes at rest in the backing store, the deserialization path could reconstruct objects beyond what the application expects, which could in turn result in code execution at checkpoint load time. This is a defense-in-depth issue. The affected behavior is reachable only when checkpoint bytes at rest in the backing store can be modified by an unauthorized party. In most deployments that prerequisite already implies a serious incident; the additional concern is turning "checkpoint-store write access" into code execution in the application runtime. This issue has been fixed in version 4.1.1.
Title LangGraph Checkpoint: Unsafe JSON deserialization in checkpoint loading
Weaknesses CWE-502
CWE-913
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Langchain-ai Langgraph Langgraph-checkpoint
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-16T18:42:07.221Z

Reserved: 2026-05-22T19:39:05.357Z

Link: CVE-2026-48775

cve-icon Vulnrichment

Updated: 2026-06-16T18:41:10.319Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-16T19:16:58.880

Modified: 2026-06-16T20:46:19.370

Link: CVE-2026-48775

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-16T17:53:10Z

Links: CVE-2026-48775 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T20:00:04Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data

  • CWE-913

    Improper Control of Dynamically-Managed Code Resources