GHSA-MHR3-J7M5-C7C9
Vulnerability from github – Published: 2026-02-25 22:59 – Updated: 2026-02-25 22:59Context
A Remote Code Execution vulnerability exists in LangGraph's caching layer when applications enable cache backends that inherit from BaseCache and opt nodes into caching via CachePolicy. Prior to langgraph-checkpoint 4.0.0, BaseCache defaults to JsonPlusSerializer(pickle_fallback=True). When msgpack serialization fails, cached values can be deserialized via pickle.loads(...).
Who is affected?
Caching is not enabled by default. Applications are affected only when:
- The application explicitly enables a cache backend (for example by passing
cache=...toStateGraph.compile(...)or otherwise configuring aBaseCacheimplementation) - One or more nodes opt into caching via
CachePolicy - The attacker can write to the cache backend (for example a network-accessible Redis instance with weak/no auth, shared cache infrastructure reachable by other tenants/services, or a writable SQLite cache file)
Example (enabling a cache backend and opting a node into caching):
from langgraph.cache.memory import InMemoryCache
from langgraph.graph import StateGraph
from langgraph.types import CachePolicy
def my_node(state: dict) -> dict:
return {"value": state.get("value", 0) + 1}
builder = StateGraph(dict)
builder.add_node("my_node", my_node, cache_policy=CachePolicy(ttl=120))
builder.set_entry_point("my_node")
graph = builder.compile(cache=InMemoryCache())
result = graph.invoke({"value": 1})
With pickle_fallback=True, when msgpack serialization fails, JsonPlusSerializer can fall back to storing values as a ("pickle", <bytes>) tuple and later deserialize them via pickle.loads(...). If an attacker can place a malicious pickle payload into the cache backend such that the LangGraph process reads and deserializes it, this can lead to arbitrary code execution.
Exploitation requires attacker write access to the cache backend. The serializer is not exposed as a network-facing API.
This is fixed in langgraph-checkpoint>=4.0.0 by disabling pickle fallback by default (pickle_fallback=False).
Impact
Arbitrary code execution in the LangGraph process when attacker-controlled cache entries are deserialized.
Root Cause
BaseCachedefault serializer configuration inherited by cache implementations (InMemoryCache,RedisCache,SqliteCache):-
libs/checkpoint/langgraph/cache/base/__init__.py(pre-fix default:JsonPlusSerializer(pickle_fallback=True)) -
JsonPlusSerializerdeserialization sink: libs/checkpoint/langgraph/checkpoint/serde/jsonplus.pyloads_typed(...)callspickle.loads(data_)whentype_ == "pickle"and pickle fallback is enabled
Attack preconditions
An attacker must be able to write attacker-controlled bytes into the cache backend such that the LangGraph process later reads and deserializes them.
This typically requires write access to a networked cache (for example a network-accessible Redis instance with weak/no auth or shared cache infrastructure reachable by other tenants/services) or write access to local cache storage (for example a writable SQLite cache file via permissive file permissions or a shared writable volume).
Because exploitation requires write access to the cache storage layer, this is a post-compromise / post-access escalation vector.
Remediation
- Upgrade to
langgraph-checkpoint>=4.0.0.
Resources
- ZDI-CAN-28385
- Patch: https://github.com/langchain-ai/langgraph/pull/6677
- Patch diff: https://patch-diff.githubusercontent.com/raw/langchain-ai/langgraph/pull/6677.patch
- Credit: Peter Girnus (@gothburz), Demeng Chen, and Brandon Niemczyk (Trend Micro Zero Day Initiative)
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "langgraph-checkpoint"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27794"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-25T22:59:12Z",
"nvd_published_at": "2026-02-25T18:23:40Z",
"severity": "MODERATE"
},
"details": "## Context\n\nA Remote Code Execution vulnerability exists in LangGraph\u0027s caching layer when applications enable cache backends that inherit from `BaseCache` and opt nodes into caching via `CachePolicy`. Prior to `langgraph-checkpoint` 4.0.0, `BaseCache` defaults to `JsonPlusSerializer(pickle_fallback=True)`. When msgpack serialization fails, cached values can be deserialized via `pickle.loads(...)`.\n\n### Who is affected?\n\nCaching is not enabled by default. Applications are affected only when:\n\n- The application explicitly enables a cache backend (for example by passing `cache=...` to `StateGraph.compile(...)` or otherwise configuring a `BaseCache` implementation)\n- One or more nodes opt into caching via `CachePolicy`\n- The attacker can write to the cache backend (for example a network-accessible Redis instance with weak/no auth, shared cache infrastructure reachable by other tenants/services, or a writable SQLite cache file)\n\nExample (enabling a cache backend and opting a node into caching):\n\n```py\nfrom langgraph.cache.memory import InMemoryCache\nfrom langgraph.graph import StateGraph\nfrom langgraph.types import CachePolicy\n\n\ndef my_node(state: dict) -\u003e dict:\n return {\"value\": state.get(\"value\", 0) + 1}\n\n\nbuilder = StateGraph(dict)\nbuilder.add_node(\"my_node\", my_node, cache_policy=CachePolicy(ttl=120))\nbuilder.set_entry_point(\"my_node\")\n\ngraph = builder.compile(cache=InMemoryCache())\n\nresult = graph.invoke({\"value\": 1})\n```\n\nWith `pickle_fallback=True`, when msgpack serialization fails, `JsonPlusSerializer` can fall back to storing values as a `(\"pickle\", \u003cbytes\u003e)` tuple and later deserialize them via `pickle.loads(...)`. If an attacker can place a malicious pickle payload into the cache backend such that the LangGraph process reads and deserializes it, this can lead to arbitrary code execution.\n\nExploitation requires attacker write access to the cache backend. The serializer is not exposed as a network-facing API.\n\nThis is fixed in `langgraph-checkpoint\u003e=4.0.0` by disabling pickle fallback by default (`pickle_fallback=False`).\n\n## Impact\n\nArbitrary code execution in the LangGraph process when attacker-controlled cache entries are deserialized.\n\n## Root Cause\n\n- `BaseCache` default serializer configuration inherited by cache implementations (`InMemoryCache`, `RedisCache`, `SqliteCache`):\n - `libs/checkpoint/langgraph/cache/base/__init__.py` (pre-fix default: `JsonPlusSerializer(pickle_fallback=True)`)\n\n- `JsonPlusSerializer` deserialization sink:\n - `libs/checkpoint/langgraph/checkpoint/serde/jsonplus.py`\n - `loads_typed(...)` calls `pickle.loads(data_)` when `type_ == \"pickle\"` and pickle fallback is enabled\n\n## Attack preconditions\n\nAn attacker must be able to write attacker-controlled bytes into the cache backend such that the LangGraph process later reads and deserializes them.\n\nThis typically requires write access to a networked cache (for example a network-accessible Redis instance with weak/no auth or shared cache infrastructure reachable by other tenants/services) or write access to local cache storage (for example a writable SQLite cache file via permissive file permissions or a shared writable volume).\n\nBecause exploitation requires write access to the cache storage layer, this is a post-compromise / post-access escalation vector.\n\n## Remediation\n\n- Upgrade to `langgraph-checkpoint\u003e=4.0.0`.\n\n## Resources\n\n- ZDI-CAN-28385\n- Patch: https://github.com/langchain-ai/langgraph/pull/6677\n- Patch diff: https://patch-diff.githubusercontent.com/raw/langchain-ai/langgraph/pull/6677.patch\n- Credit: Peter Girnus (@gothburz), Demeng Chen, and Brandon Niemczyk (Trend Micro Zero Day Initiative)",
"id": "GHSA-mhr3-j7m5-c7c9",
"modified": "2026-02-25T22:59:12Z",
"published": "2026-02-25T22:59:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/langchain-ai/langgraph/security/advisories/GHSA-mhr3-j7m5-c7c9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27794"
},
{
"type": "WEB",
"url": "https://github.com/langchain-ai/langgraph/pull/6677"
},
{
"type": "WEB",
"url": "https://github.com/langchain-ai/langgraph/commit/f91d79d0c86932ded6e3b9f195d5a0bbd5aef99c"
},
{
"type": "PACKAGE",
"url": "https://github.com/langchain-ai/langgraph"
},
{
"type": "WEB",
"url": "https://github.com/langchain-ai/langgraph/releases/tag/checkpoint%3D%3D4.0.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "LangGraph: BaseCache Deserialization of Untrusted Data may lead to Remote Code Execution "
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.