FKIE_CVE-2026-27794

Vulnerability from fkie_nvd - Published: 2026-02-25 18:23 - Updated: 2026-04-15 00:35
Severity ?
6.6 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
LangGraph Checkpoint defines the base interface for LangGraph checkpointers. Prior to version 4.0.0, a Remote Code Execution vulnerability exists in LangGraph's caching layer when applications enable cache backends that inherit from `BaseCache` and opt nodes into caching via `CachePolicy`. Prior to `langgraph-checkpoint` 4.0.0, `BaseCache` defaults to `JsonPlusSerializer(pickle_fallback=True)`. When msgpack serialization fails, cached values can be deserialized via `pickle.loads(...)`. Caching is not enabled by default. Applications are affected only when the application explicitly enables a cache backend (for example by passing `cache=...` to `StateGraph.compile(...)` or otherwise configuring a `BaseCache` implementation), one or more nodes opt into caching via `CachePolicy`, and the attacker can write to the cache backend (for example a network-accessible Redis instance with weak/no auth, shared cache infrastructure reachable by other tenants/services, or a writable SQLite cache file). An attacker must be able to write attacker-controlled bytes into the cache backend such that the LangGraph process later reads and deserializes them. This typically requires write access to a networked cache (for example a network-accessible Redis instance with weak/no auth or shared cache infrastructure reachable by other tenants/services) or write access to local cache storage (for example a writable SQLite cache file via permissive file permissions or a shared writable volume). Because exploitation requires write access to the cache storage layer, this is a post-compromise / post-access escalation vector. LangGraph Checkpoint 4.0.0 patches the issue.
References
security-advisories@github.comhttps://github.com/langchain-ai/langgraph/commit/f91d79d0c86932ded6e3b9f195d5a0bbd5aef99c
security-advisories@github.comhttps://github.com/langchain-ai/langgraph/pull/6677
security-advisories@github.comhttps://github.com/langchain-ai/langgraph/releases/tag/checkpoint%3D%3D4.0.0
security-advisories@github.comhttps://github.com/langchain-ai/langgraph/security/advisories/GHSA-mhr3-j7m5-c7c9
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "LangGraph Checkpoint defines the base interface for LangGraph checkpointers. Prior to version 4.0.0, a Remote Code Execution vulnerability exists in LangGraph\u0027s caching layer when applications enable cache backends that inherit from `BaseCache` and opt nodes into caching via `CachePolicy`. Prior to `langgraph-checkpoint` 4.0.0, `BaseCache` defaults to `JsonPlusSerializer(pickle_fallback=True)`. When msgpack serialization fails, cached values can be deserialized via `pickle.loads(...)`. Caching is not enabled by default. Applications are affected only when the application explicitly enables a cache backend (for example by passing `cache=...` to `StateGraph.compile(...)` or otherwise configuring a `BaseCache` implementation), one or more nodes opt into caching via `CachePolicy`, and the attacker can write to the cache backend (for example a network-accessible Redis instance with weak/no auth, shared cache infrastructure reachable by other tenants/services, or a writable SQLite cache file). An attacker must be able to write attacker-controlled bytes into the cache backend such that the LangGraph process later reads and deserializes them. This typically requires write access to a networked cache (for example a network-accessible Redis instance with weak/no auth or shared cache infrastructure reachable by other tenants/services) or write access to local cache storage (for example a writable SQLite cache file via permissive file permissions or a shared writable volume). Because exploitation requires write access to the cache storage layer, this is a post-compromise / post-access escalation vector. LangGraph Checkpoint 4.0.0 patches the issue."
    },
    {
      "lang": "es",
      "value": "LangGraph Checkpoint define la interfaz base para los gestores de puntos de control de LangGraph. Antes de la versi\u00f3n 4.0.0, existe una vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo en la capa de cach\u00e9 de LangGraph cuando las aplicaciones habilitan *backends* de cach\u00e9 que heredan de `BaseCache` y habilitan nodos para el almacenamiento en cach\u00e9 a trav\u00e9s de `CachePolicy`. Antes de `langgraph-checkpoint` 4.0.0, `BaseCache` por defecto utiliza `JsonPlusSerializer(pickle_fallback=True)`. Cuando la serializaci\u00f3n de msgpack falla, los valores almacenados en cach\u00e9 pueden ser deserializados a trav\u00e9s de `pickle.loads(...)`. El almacenamiento en cach\u00e9 no est\u00e1 habilitado por defecto. Las aplicaciones se ven afectadas solo cuando la aplicaci\u00f3n habilita expl\u00edcitamente un *backend* de cach\u00e9 (por ejemplo, pasando `cache=...` a `StateGraph.compile(...)` o configurando de otra manera una implementaci\u00f3n de `BaseCache`), uno o m\u00e1s nodos habilitan el almacenamiento en cach\u00e9 a trav\u00e9s de `CachePolicy`, y el atacante puede escribir en el *backend* de cach\u00e9 (por ejemplo, una instancia de Redis accesible por red con autenticaci\u00f3n d\u00e9bil/nula, infraestructura de cach\u00e9 compartida accesible por otros inquilinos/servicios, o un archivo de cach\u00e9 SQLite escribible). Un atacante debe poder escribir bytes controlados por el atacante en el *backend* de cach\u00e9 de modo que el proceso de LangGraph los lea y deserialice posteriormente. Esto normalmente requiere acceso de escritura a una cach\u00e9 en red (por ejemplo, una instancia de Redis accesible por red con autenticaci\u00f3n d\u00e9bil/nula o infraestructura de cach\u00e9 compartida accesible por otros inquilinos/servicios) o acceso de escritura al almacenamiento de cach\u00e9 local (por ejemplo, un archivo de cach\u00e9 SQLite escribible a trav\u00e9s de permisos de archivo permisivos o un volumen compartido escribible). Debido a que la explotaci\u00f3n requiere acceso de escritura a la capa de almacenamiento de cach\u00e9, este es un vector de escalada post-compromiso / post-acceso. LangGraph Checkpoint 4.0.0 corrige el problema."
    }
  ],
  "id": "CVE-2026-27794",
  "lastModified": "2026-04-15T00:35:42.020",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.6,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 0.7,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-25T18:23:40.980",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/langchain-ai/langgraph/commit/f91d79d0c86932ded6e3b9f195d5a0bbd5aef99c"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/langchain-ai/langgraph/pull/6677"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/langchain-ai/langgraph/releases/tag/checkpoint%3D%3D4.0.0"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/langchain-ai/langgraph/security/advisories/GHSA-mhr3-j7m5-c7c9"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.