Threat
Ilya Kabanov

A SQL injection in LangGraph's agent memory chains into RCE

TL;DR: A crafted history filter on a self-hosted LangGraph turns its saved agent memory into a server takeover, ordinary SQL injection plus unsafe deserialization. Patch the checkpointer packages, including the core langgraph-checkpoint.

LangGraph gives an AI agent a memory. At every step of a run, it saves the agent's state to a persistence layer it calls a checkpointer, so the agent can pick up where it left off. Apps read that history back through a single function, get_state_history(), and many of them let a user filter it.

The app pastes the user's filter into the query as code, not data. A crafted filter makes the database return a fake row the attacker controls. Opening that row runs the program inside it, like os.system.

Yarden Porat of Check Point Research published "From SQLi to RCE - Exploiting LangGraph's Checkpointer," chaining the SQL injection into remote code execution on a self-hosted agent server.

From get_state_history to a UNION-injected row to os.system. Source: Check Point Research.
From get_state_history to a UNION-injected row to os.system. Source: Check Point Research.

Highlights:

  • Three CVEs: CVE-2025-67644, a SQL injection in SQLite (CVSS 7.3), CVE-2026-27022, a query injection in Redis (CVSS 6.5), and CVE-2026-28277, unsafe msgpack deserialization (CVSS 6.8).
  • The bug: the SQLite checkpointer binds the filter values as parameters but formats the keys straight into the SQL. A key containing a quote injects arbitrary SQL. The Redis checkpointer repeats the mistake in RediSearch's query language.
  • The chain: on SQLite, the attacker's UNION SELECT returns a fake msgpack row they control. When the server reads that row back, the deserializer runs a function named inside it, such as os.system. The deserializer lives in the shared core langgraph-checkpoint package. Redis stops at data exposure.
  • Preconditions: a self-hosted LangGraph on the SQLite or Redis checkpointer, with the filter exposed to untrusted input. The managed service runs Postgres and is not vulnerable.
  • LangGraph draws over 50 million PyPI downloads a month. The fixes are langgraph-checkpoint-sqlite 3.0.1, langgraph-checkpoint-redis 1.0.2, and langgraph-checkpoint 4.0.1, and a public proof of concept already exists.
A crafted filter key reaches json_extract and injects a UNION SELECT. Source: Check Point Research.
A crafted filter key reaches json_extract and injects a UNION SELECT. Source: Check Point Research.

My take:

  1. Memory poisoning is becoming a critical attack vector, and Microsoft already caught 31 companies doing it in the wild. A fake fact becomes trusted memory and silently steers the agent in later sessions. Poisoning is the write side. This is the read side. The database that powers memory is a SQL injection target, and reading it back triggers code execution.
  2. Nothing here is an AI vulnerability. SQL injection and unsafe deserialization are well-known. They are worse here because code execution on an agent server exposes every credential and conversation it held.
  3. The SQL injection is only the way in. The deserializer is what runs the code, and it sits in the core langgraph-checkpoint package, shared by both backends. So upgrade that core package to 4.0.1, and the SQLite and Redis ones to 3.0.1 and 1.0.2.

Sources:

  1. Check Point Research, From SQLi to RCE - Exploiting LangGraph's Checkpointer
  2. Check Point Blog, When Your AI Agent's Memory Becomes a Security Liability
  3. The Weather Report, Half of attacks on LLM agent memory succeed
  4. The Weather Report, Microsoft caught 31 companies poisoning AI assistant memory