{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27794", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-24T02:31:33.265Z", "datePublished": "2026-02-25T16:53:47.176Z", "dateUpdated": "2026-02-25T21:00:24.430Z"}, "containers": {"cna": {"title": "LangGraph: BaseCache Deserialization of Untrusted Data may lead to Remote Code Execution", "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "lang": "en", "description": "CWE-502: Deserialization of Untrusted Data", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/langchain-ai/langgraph/security/advisories/GHSA-mhr3-j7m5-c7c9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/langchain-ai/langgraph/security/advisories/GHSA-mhr3-j7m5-c7c9"}, {"name": "https://github.com/langchain-ai/langgraph/pull/6677", "tags": ["x_refsource_MISC"], "url": "https://github.com/langchain-ai/langgraph/pull/6677"}, {"name": "https://github.com/langchain-ai/langgraph/commit/f91d79d0c86932ded6e3b9f195d5a0bbd5aef99c", "tags": ["x_refsource_MISC"], "url": "https://github.com/langchain-ai/langgraph/commit/f91d79d0c86932ded6e3b9f195d5a0bbd5aef99c"}, {"name": "https://github.com/langchain-ai/langgraph/releases/tag/checkpoint%3D%3D4.0.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/langchain-ai/langgraph/releases/tag/checkpoint%3D%3D4.0.0"}], "affected": [{"vendor": "langchain-ai", "product": "langgraph-checkpoint", "versions": [{"version": "< 4.0.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-25T16:53:47.176Z"}, "descriptions": [{"lang": "en", "value": "LangGraph Checkpoint defines the base interface for LangGraph checkpointers. Prior to version 4.0.0, a Remote Code Execution vulnerability exists in LangGraph's caching layer when applications enable cache backends that inherit from `BaseCache` and opt nodes into caching via `CachePolicy`. Prior to `langgraph-checkpoint` 4.0.0, `BaseCache` defaults to `JsonPlusSerializer(pickle_fallback=True)`. When msgpack serialization fails, cached values can be deserialized via `pickle.loads(...)`. Caching is not enabled by default. Applications are affected only when the application explicitly enables a cache backend (for example by passing `cache=...` to `StateGraph.compile(...)` or otherwise configuring a `BaseCache` implementation), one or more nodes opt into caching via `CachePolicy`, and the attacker can write to the cache backend (for example a network-accessible Redis instance with weak/no auth, shared cache infrastructure reachable by other tenants/services, or a writable SQLite cache file). An attacker must be able to write attacker-controlled bytes into the cache backend such that the LangGraph process later reads and deserializes them. This typically requires write access to a networked cache (for example a network-accessible Redis instance with weak/no auth or shared cache infrastructure reachable by other tenants/services) or write access to local cache storage (for example a writable SQLite cache file via permissive file permissions or a shared writable volume). Because exploitation requires write access to the cache storage layer, this is a post-compromise / post-access escalation vector. LangGraph Checkpoint 4.0.0 patches the issue."}], "source": {"advisory": "GHSA-mhr3-j7m5-c7c9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-25T21:00:12.555344Z", "id": "CVE-2026-27794", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T21:00:24.430Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27794", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-25T21:00:12.555344Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T21:00:17.559Z"}}], "cna": {"title": "LangGraph: BaseCache Deserialization of Untrusted Data may lead to Remote Code Execution", "source": {"advisory": "GHSA-mhr3-j7m5-c7c9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "langchain-ai", "product": "langgraph-checkpoint", "versions": [{"status": "affected", "version": "< 4.0.0"}]}], "references": [{"url": "https://github.com/langchain-ai/langgraph/security/advisories/GHSA-mhr3-j7m5-c7c9", "name": "https://github.com/langchain-ai/langgraph/security/advisories/GHSA-mhr3-j7m5-c7c9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/langchain-ai/langgraph/pull/6677", "name": "https://github.com/langchain-ai/langgraph/pull/6677", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/langchain-ai/langgraph/commit/f91d79d0c86932ded6e3b9f195d5a0bbd5aef99c", "name": "https://github.com/langchain-ai/langgraph/commit/f91d79d0c86932ded6e3b9f195d5a0bbd5aef99c", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/langchain-ai/langgraph/releases/tag/checkpoint%3D%3D4.0.0", "name": "https://github.com/langchain-ai/langgraph/releases/tag/checkpoint%3D%3D4.0.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "LangGraph Checkpoint defines the base interface for LangGraph checkpointers. Prior to version 4.0.0, a Remote Code Execution vulnerability exists in LangGraph's caching layer when applications enable cache backends that inherit from `BaseCache` and opt nodes into caching via `CachePolicy`. Prior to `langgraph-checkpoint` 4.0.0, `BaseCache` defaults to `JsonPlusSerializer(pickle_fallback=True)`. When msgpack serialization fails, cached values can be deserialized via `pickle.loads(...)`. Caching is not enabled by default. Applications are affected only when the application explicitly enables a cache backend (for example by passing `cache=...` to `StateGraph.compile(...)` or otherwise configuring a `BaseCache` implementation), one or more nodes opt into caching via `CachePolicy`, and the attacker can write to the cache backend (for example a network-accessible Redis instance with weak/no auth, shared cache infrastructure reachable by other tenants/services, or a writable SQLite cache file). An attacker must be able to write attacker-controlled bytes into the cache backend such that the LangGraph process later reads and deserializes them. This typically requires write access to a networked cache (for example a network-accessible Redis instance with weak/no auth or shared cache infrastructure reachable by other tenants/services) or write access to local cache storage (for example a writable SQLite cache file via permissive file permissions or a shared writable volume). Because exploitation requires write access to the cache storage layer, this is a post-compromise / post-access escalation vector. LangGraph Checkpoint 4.0.0 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502: Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-25T16:53:47.176Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27794", "state": "PUBLISHED", "dateUpdated": "2026-02-25T21:00:24.430Z", "dateReserved": "2026-02-24T02:31:33.265Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-25T16:53:47.176Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "LangGraph Checkpoint defines the base interface for LangGraph checkpointers. Prior to version 4.0.0, a Remote Code Execution vulnerability exists in LangGraph's caching layer when applications enable cache backends that inherit from `BaseCache` and opt nodes into caching via `CachePolicy`. Prior to `langgraph-checkpoint` 4.0.0, `BaseCache` defaults to `JsonPlusSerializer(pickle_fallback=True)`. When msgpack serialization fails, cached values can be deserialized via `pickle.loads(...)`. Caching is not enabled by default. Applications are affected only when the application explicitly enables a cache backend (for example by passing `cache=...` to `StateGraph.compile(...)` or otherwise configuring a `BaseCache` implementation), one or more nodes opt into caching via `CachePolicy`, and the attacker can write to the cache backend (for example a network-accessible Redis instance with weak/no auth, shared cache infrastructure reachable by other tenants/services, or a writable SQLite cache file). An attacker must be able to write attacker-controlled bytes into the cache backend such that the LangGraph process later reads and deserializes them. This typically requires write access to a networked cache (for example a network-accessible Redis instance with weak/no auth or shared cache infrastructure reachable by other tenants/services) or write access to local cache storage (for example a writable SQLite cache file via permissive file permissions or a shared writable volume). Because exploitation requires write access to the cache storage layer, this is a post-compromise / post-access escalation vector. LangGraph Checkpoint 4.0.0 patches the issue."}, {"lang": "es", "value": "LangGraph Checkpoint define la interfaz base para los gestores de puntos de control de LangGraph. Antes de la versi\u00f3n 4.0.0, existe una vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo en la capa de cach\u00e9 de LangGraph cuando las aplicaciones habilitan *backends* de cach\u00e9 que heredan de `BaseCache` y habilitan nodos para el almacenamiento en cach\u00e9 a trav\u00e9s de `CachePolicy`. Antes de `langgraph-checkpoint` 4.0.0, `BaseCache` por defecto utiliza `JsonPlusSerializer(pickle_fallback=True)`. Cuando la serializaci\u00f3n de msgpack falla, los valores almacenados en cach\u00e9 pueden ser deserializados a trav\u00e9s de `pickle.loads(...)`. El almacenamiento en cach\u00e9 no est\u00e1 habilitado por defecto. Las aplicaciones se ven afectadas solo cuando la aplicaci\u00f3n habilita expl\u00edcitamente un *backend* de cach\u00e9 (por ejemplo, pasando `cache=...` a `StateGraph.compile(...)` o configurando de otra manera una implementaci\u00f3n de `BaseCache`), uno o m\u00e1s nodos habilitan el almacenamiento en cach\u00e9 a trav\u00e9s de `CachePolicy`, y el atacante puede escribir en el *backend* de cach\u00e9 (por ejemplo, una instancia de Redis accesible por red con autenticaci\u00f3n d\u00e9bil/nula, infraestructura de cach\u00e9 compartida accesible por otros inquilinos/servicios, o un archivo de cach\u00e9 SQLite escribible). Un atacante debe poder escribir bytes controlados por el atacante en el *backend* de cach\u00e9 de modo que el proceso de LangGraph los lea y deserialice posteriormente. Esto normalmente requiere acceso de escritura a una cach\u00e9 en red (por ejemplo, una instancia de Redis accesible por red con autenticaci\u00f3n d\u00e9bil/nula o infraestructura de cach\u00e9 compartida accesible por otros inquilinos/servicios) o acceso de escritura al almacenamiento de cach\u00e9 local (por ejemplo, un archivo de cach\u00e9 SQLite escribible a trav\u00e9s de permisos de archivo permisivos o un volumen compartido escribible). Debido a que la explotaci\u00f3n requiere acceso de escritura a la capa de almacenamiento de cach\u00e9, este es un vector de escalada post-compromiso / post-acceso. LangGraph Checkpoint 4.0.0 corrige el problema."}], "id": "CVE-2026-27794", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-25T18:23:40.980", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/langchain-ai/langgraph/commit/f91d79d0c86932ded6e3b9f195d5a0bbd5aef99c"}, {"source": "security-advisories@github.com", "url": "https://github.com/langchain-ai/langgraph/pull/6677"}, {"source": "security-advisories@github.com", "url": "https://github.com/langchain-ai/langgraph/releases/tag/checkpoint%3D%3D4.0.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/langchain-ai/langgraph/security/advisories/GHSA-mhr3-j7m5-c7c9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "langgraph-checkpoint: LangGraph Checkpoint: Remote Code Execution via insecure deserialization in caching layer", "id": "2442692", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442692"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-502", "details": ["A flaw was found in LangGraph Checkpoint. This vulnerability allows a remote attacker with write access to the cache backend to achieve remote code execution. This occurs when applications enable cache backends that inherit from `BaseCache` and opt nodes into caching via `CachePolicy`. If `msgpack` serialization fails, cached values can be deserialized using `pickle.loads(...)`, leading to the execution of arbitrary code. Exploitation requires prior write access to the cache storage layer, making it a post-compromise escalation vector."], "name": "CVE-2026-27794", "package_state": [{"cpe": "cpe:/a:redhat:openshift_lightspeed", "fix_state": "Fix deferred", "package_name": "openshift-lightspeed/lightspeed-service-api-rhel9", "product_name": "OpenShift Lightspeed"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-trustyai-ragas-lls-provider-dsp-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}], "public_date": "2026-02-25T16:53:47Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27794\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27794\nhttps://github.com/langchain-ai/langgraph/commit/f91d79d0c86932ded6e3b9f195d5a0bbd5aef99c\nhttps://github.com/langchain-ai/langgraph/pull/6677\nhttps://github.com/langchain-ai/langgraph/releases/tag/checkpoint%3D%3D4.0.0\nhttps://github.com/langchain-ai/langgraph/security/advisories/GHSA-mhr3-j7m5-c7c9"], "statement": "As noted above, caching is not enabled by default, and this vulnerability only affects applications which have enabled a cache backend.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.0.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "langgraph-checkpoint", "source": "cna", "vendor": "langchain-ai"}, "product": "langgraph-checkpoint", "vendor": "langchain-ai"}], "analysis": {"en": {"generated_at": "2026-04-17T15:05:12.083349+00:00", "value": {"mitigation_remediation": ["Upgrade langgraph-checkpoint to version 4.0.0 or later, where the dangerous pickle fallback has been removed.", "Configure the cache storage to deny write access from untrusted sources: enable authentication on Redis, set strict permissions on SQLite files, and isolate shared volumes to prevent cross\u2011tenant write capability.", "If caching is not required for your workflow, disable the cache backend or remove CachePolicy configurations so that no data is serialized by BaseCache.", "Monitor cache activity for unauthorized writes and set alerts for unexpected serialization attempts."], "summary": {"action": "Apply Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The issue affects the langgraph-checkpoint package from langchain-ai, specifically all releases older than 4.0.0. Applications must have explicitly enabled a cache backend that inherits from BaseCache and have at least one node configured to cache via CachePolicy. Caching is not enabled by default, so normal usage without cache configuration is not impacted.", "description_and_impact": "The vulnerability resides in the serialization logic of LangGraph\u2019s cache layer. When BaseCache falls back from msgpack to pickle for serialization, an attacker who can write arbitrary bytes to the cache can trigger deserialization via pickle.loads during a later read. This enables execution of arbitrary code in the process that owns the LangGraph instance. The failure to default to a safe serialization mechanism means that any untrusted cache entry becomes a vector for code execution.", "risk_and_exploitability": "The CVSS base score of 6.6 reflects a moderate severity, while an EPSS score of less than 1% suggests a very low probability of exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires write access to the cache backend, making it a post\u2011compromise or post\u2011access escalation vector. If an attacker controls a network\u2011accessible Redis instance without authentication or can modify local cache files such as SQLite, they can inject malicious payloads, leading to remote code execution on the LangGraph host."}}}}, "created": "2026-02-26T13:15:18.196005+00:00", "updated": "2026-04-17T15:15:21.825121+00:00", "vendors": ["langchain-ai", "langchain-ai$PRODUCT$langgraph-checkpoint"]}