Vulnerability-Lookup

CVE-2026-28277 (GCVE-0-2026-28277)

Vulnerability from cvelistv5 – Published: 2026-03-05 19:10 – Updated: 2026-03-06 18:04

Title

LangGraph: Unsafe msgpack deserialization in LangGraph checkpoint loading

Summary

LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). In version 1.0.9 and prior, LangGraph checkpointers can load msgpack-encoded checkpoints that reconstruct Python objects during deserialization. If an attacker can modify checkpoint data in the backing store (for example, after a database compromise or other privileged write access to the persistence layer), they can potentially supply a crafted payload that triggers unsafe object reconstruction when the checkpoint is loaded. No known patch is public.

Severity ?

6.8 (Medium)


                        
                          CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-502 - Deserialization of Untrusted Data

Assigner

GitHub_M

References

URL

Tags

https://github.com/langchain-ai/langgraph/securit…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	langchain-ai	langgraph	Affected: <= 1.0.9

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-28277",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-06T18:04:22.963963Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-06T18:04:29.687Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "langgraph",
          "vendor": "langchain-ai",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 1.0.9"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). In version 1.0.9 and prior, LangGraph checkpointers can load msgpack-encoded checkpoints that reconstruct Python objects during deserialization. If an attacker can modify checkpoint data in the backing store (for example, after a database compromise or other privileged write access to the persistence layer), they can potentially supply a crafted payload that triggers unsafe object reconstruction when the checkpoint is loaded. No known patch is public."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502: Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-05T19:10:36.865Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/langchain-ai/langgraph/security/advisories/GHSA-g48c-2wqr-h844",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/langchain-ai/langgraph/security/advisories/GHSA-g48c-2wqr-h844"
        }
      ],
      "source": {
        "advisory": "GHSA-g48c-2wqr-h844",
        "discovery": "UNKNOWN"
      },
      "title": "LangGraph: Unsafe msgpack deserialization in LangGraph checkpoint loading"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-28277",
    "datePublished": "2026-03-05T19:10:36.865Z",
    "dateReserved": "2026-02-26T01:52:58.734Z",
    "dateUpdated": "2026-03-06T18:04:29.687Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-28277",
      "date": "2026-04-22",
      "epss": "0.00318",
      "percentile": "0.54878"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-28277\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-05T20:16:15.677\",\"lastModified\":\"2026-04-21T15:14:55.870\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). In version 1.0.9 and prior, LangGraph checkpointers can load msgpack-encoded checkpoints that reconstruct Python objects during deserialization. If an attacker can modify checkpoint data in the backing store (for example, after a database compromise or other privileged write access to the persistence layer), they can potentially supply a crafted payload that triggers unsafe object reconstruction when the checkpoint is loaded. No known patch is public.\"},{\"lang\":\"es\",\"value\":\"LangGraph SQLite Checkpoint es una implementaci\u00f3n de LangGraph CheckpointSaver que utiliza una base de datos SQLite (tanto s\u00edncrona como as\u00edncrona, a trav\u00e9s de aiosqlite). En la versi\u00f3n 1.0.9 y anteriores, los checkpointers de LangGraph pueden cargar checkpoints codificados en msgpack que reconstruyen objetos Python durante la deserializaci\u00f3n. Si un atacante puede modificar los datos del checkpoint en el almac\u00e9n de respaldo (por ejemplo, despu\u00e9s de un compromiso de la base de datos u otro acceso de escritura privilegiado a la capa de persistencia), pueden suministrar potencialmente una carga \u00fatil manipulada que desencadene una reconstrucci\u00f3n insegura de objetos cuando se carga el checkpoint. No se conoce ning\u00fan parche p\u00fablico.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":6.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":0.9,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:langchain:langgraph:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1.0.9\",\"matchCriteriaId\":\"03EAA519-9C97-43CB-814B-DDDA61441C87\"}]}]}],\"references\":[{\"url\":\"https://github.com/langchain-ai/langgraph/security/advisories/GHSA-g48c-2wqr-h844\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\",\"Mitigation\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-28277\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-06T18:04:22.963963Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-06T18:04:26.192Z\"}}], \"cna\": {\"title\": \"LangGraph: Unsafe msgpack deserialization in LangGraph checkpoint loading\", \"source\": {\"advisory\": \"GHSA-g48c-2wqr-h844\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.8, \"attackVector\": \"ADJACENT_NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"langchain-ai\", \"product\": \"langgraph\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 1.0.9\"}]}], \"references\": [{\"url\": \"https://github.com/langchain-ai/langgraph/security/advisories/GHSA-g48c-2wqr-h844\", \"name\": \"https://github.com/langchain-ai/langgraph/security/advisories/GHSA-g48c-2wqr-h844\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). In version 1.0.9 and prior, LangGraph checkpointers can load msgpack-encoded checkpoints that reconstruct Python objects during deserialization. If an attacker can modify checkpoint data in the backing store (for example, after a database compromise or other privileged write access to the persistence layer), they can potentially supply a crafted payload that triggers unsafe object reconstruction when the checkpoint is loaded. No known patch is public.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"CWE-502: Deserialization of Untrusted Data\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-05T19:10:36.865Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-28277\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-06T18:04:29.687Z\", \"dateReserved\": \"2026-02-26T01:52:58.734Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-05T19:10:36.865Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-G48C-2WQR-H844

Vulnerability from github – Published: 2026-03-05 20:19 – Updated: 2026-03-09 13:19

Summary

LangGraph checkpoint loading has unsafe msgpack deserialization

Details

LangGraph checkpointers can load msgpack-encoded checkpoints that reconstruct Python objects during deserialization. If an attacker can modify checkpoint data in the backing store (for example, after a database compromise or other privileged write access to the persistence layer), they can potentially supply a crafted payload that triggers unsafe object reconstruction when the checkpoint is loaded.

This is a post-exploitation / defense-in-depth issue. Exploitation requires the ability to write attacker-controlled checkpoint bytes at rest. In most deployments that prerequisite already implies a serious incident; the additional risk is turning “checkpoint-store write access” into code execution in the application runtime, which can expand blast radius (for example by exposing environment variables or cloud credentials available to the runtime).

There is no evidence of exploitation in the wild, and LangGraph is not aware of a practical exploitation path in existing deployments today. This change is intended to reduce the blast radius of a checkpoint-store compromise.

Affected users / systems

Users may be affected if they:

use a persistent checkpointer (database, remote store, shared filesystem, etc.),
load/resume from checkpoints, and
operate in an environment where an attacker could gain privileged write access to checkpoint data in the backing store.

This issue requires the attacker to be able to modify persisted checkpoint bytes (or to compromise a trusted component that writes them). It is generally not reachable by an unauthenticated remote attacker in a correctly configured deployment.

Impact

Potential arbitrary code execution or other unsafe side effects during checkpoint deserialization.
Escalation from “write access to checkpoint store” to “code execution in the application runtime,” which may expose runtime secrets or provide access to other systems the runtime can reach.

Exploitation scenario (high level)

Attacker gains privileged write access to the checkpoint store (for example, via database compromise, leaked credentials, or abuse of an administrative data path).
Attacker writes a crafted checkpoint payload containing msgpack data intended to reconstruct dangerous objects.
Application resumes and deserializes the checkpoint; unsafe reconstruction could execute attacker-controlled behavior.

Mitigation / remediation

LangGraph provides an allowlist-based hardening mechanism for msgpack checkpoint deserialization.

Strict mode (environment variable)

LANGGRAPH_STRICT_MSGPACK
When set truthy (1, true, yes), the default msgpack deserialization policy becomes strict.
Concretely: JsonPlusSerializer() will default allowed_msgpack_modules to None (strict) instead of True (warn-and-allow), unless allowed_msgpack_modules=... is explicitly passed.

`allowed_msgpack_modules` (serializer/checkpointer config)

This setting controls what msgpack “ext” types are allowed to be reconstructed.

True (default when strict mode is not enabled): allow all ext types, but log a warning when deserializing a type that is not explicitly registered.
None (strict): only a built-in safe set is reconstructed; other ext types are blocked.
[(module, class_name), ...] (strict allowlist): the built-in safe set plus exactly the listed symbols are reconstructed (exact-match).

Built-in safe set

A small set of types is always treated as safe to reconstruct (for example datetime types, uuid.UUID, decimal.Decimal, set/frozenset/deque, ipaddress types, pathlib paths, zoneinfo.ZoneInfo, compiled regex patterns, and selected LangGraph internal types).

Automatically derived allowlist (only when compiling graphs)

When LANGGRAPH_STRICT_MSGPACK is enabled and StateGraph is compiled, LangGraph derives an allowlist from the graph’s schemas and channels and applies it to the checkpointer.

The allowlist is built by walking the state/input/output/context schemas (plus node/branch input schemas) and channel value/update types. It includes Pydantic v1/v2 models, dataclasses, enums, TypedDict field types, and common typing constructs (containers, unions, Annotated).
LangGraph also includes a curated set of common LangChain message classes.

This derived allowlist is only applied if the selected checkpointer supports with_allowlist(...). If a user is constructing serializers/checkpointers manually (or using a checkpointer that does not support allowlist propagation), they will need to configure allowed_msgpack_modules themselves.

Operational guidance

Treat checkpoint stores as integrity-sensitive. Restrict write access and rotate credentials if compromise is suspected.
Enable strict mode (LANGGRAPH_STRICT_MSGPACK=true) in production if feasible, and rely on schema-driven allowlisting to reduce incompatibilities.
Avoid providing custom msgpack deserialization hooks that reconstruct arbitrary types unless checkpoint data is fully trusted.

Limitations / important notes

If a checkpointer implementation does not support allowlist application (i.e., does not implement with_allowlist), allowlist enforcement may be skipped (with a warning). In that situation, strict expectations may not hold.
If an application supplies a custom msgpack unpack hook (ext_hook), the custom hook controls reconstruction and can bypass the default allowlist checks (intentional escape hatch, but it weakens the protection).

LangSmith / hosted deployments note

LangSmith is not aware of this issue presenting risk to existing LangSmith-hosted deployments. The described threat model requires an attacker to tamper with the checkpoint persistence layer used by the deployment; typical hosted configurations are designed to prevent such access.

First reported by: yardenporat353

Severity ?

6.8 (Medium)


                  
                    CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.0.9"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "langgraph"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28277"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-05T20:19:49Z",
    "nvd_published_at": "2026-03-05T20:16:15Z",
    "severity": "MODERATE"
  },
  "details": "LangGraph checkpointers can load msgpack-encoded checkpoints that reconstruct Python objects during deserialization. If an attacker can modify checkpoint data in the backing store (for example, after a database compromise or other privileged write access to the persistence layer), they can potentially supply a crafted payload that triggers unsafe object reconstruction when the checkpoint is loaded.\n\nThis is a **post-exploitation / defense-in-depth** issue. Exploitation requires the ability to write attacker-controlled checkpoint bytes at rest. In most deployments that prerequisite already implies a serious incident; the additional risk is turning \u201ccheckpoint-store write access\u201d into code execution in the application runtime, which can expand blast radius (for example by exposing environment variables or cloud credentials available to the runtime).\n\nThere is no evidence of exploitation in the wild, and LangGraph is not aware of a practical exploitation path in existing deployments today. This change is intended to reduce the blast radius of a checkpoint-store compromise.\n\n## Affected users / systems\n\nUsers may be affected if they:\n\n- use a persistent checkpointer (database, remote store, shared filesystem, etc.),\n- load/resume from checkpoints, and\n- operate in an environment where an attacker could gain privileged write access to checkpoint data in the backing store.\n\nThis issue requires the attacker to be able to modify persisted checkpoint bytes (or to compromise a trusted component that writes them). It is generally not reachable by an unauthenticated remote attacker in a correctly configured deployment.\n\n## Impact\n- Potential **arbitrary code execution** or other unsafe side effects during checkpoint deserialization.\n- Escalation from \u201cwrite access to checkpoint store\u201d to \u201ccode execution in the application runtime,\u201d which may expose runtime secrets or provide access to other systems the runtime can reach.\n\n## Exploitation scenario (high level)\n1. Attacker gains privileged write access to the checkpoint store (for example, via database compromise, leaked credentials, or abuse of an administrative data path).\n2. Attacker writes a crafted checkpoint payload containing msgpack data intended to reconstruct dangerous objects.\n3. Application resumes and deserializes the checkpoint; unsafe reconstruction could execute attacker-controlled behavior.\n\n## Mitigation / remediation\nLangGraph provides an allowlist-based hardening mechanism for msgpack checkpoint deserialization.\n\n### Strict mode (environment variable)\n- **`LANGGRAPH_STRICT_MSGPACK`**\n  - When set truthy (`1`, `true`, `yes`), the default msgpack deserialization policy becomes strict.\n  - Concretely: `JsonPlusSerializer()` will default `allowed_msgpack_modules` to `None` (strict) instead of `True` (warn-and-allow), unless `allowed_msgpack_modules=...` is explicitly passed.\n\n### `allowed_msgpack_modules` (serializer/checkpointer config)\nThis setting controls what msgpack \u201cext\u201d types are allowed to be reconstructed.\n\n- `True` (default when strict mode is not enabled): allow all ext types, but log a warning when deserializing a type that is not explicitly registered.\n- `None` (strict): only a built-in safe set is reconstructed; other ext types are blocked.\n- `[(module, class_name), ...]` (strict allowlist): the built-in safe set plus exactly the listed symbols are reconstructed (exact-match).\n\n### Built-in safe set\nA small set of types is always treated as safe to reconstruct (for example `datetime` types, `uuid.UUID`, `decimal.Decimal`, `set`/`frozenset`/`deque`, `ipaddress` types, `pathlib` paths, `zoneinfo.ZoneInfo`, compiled regex patterns, and selected LangGraph internal types).\n\n### Automatically derived allowlist (only when compiling graphs)\nWhen `LANGGRAPH_STRICT_MSGPACK` is enabled and `StateGraph` is compiled, LangGraph derives an allowlist from the graph\u2019s schemas and channels and applies it to the checkpointer.\n\n- The allowlist is built by walking the state/input/output/context schemas (plus node/branch input schemas) and channel value/update types. It includes Pydantic v1/v2 models, dataclasses, enums, TypedDict field types, and common typing constructs (containers, unions, `Annotated`).\n- LangGraph also includes a curated set of common LangChain message classes.\n\nThis derived allowlist is only applied if the selected checkpointer supports `with_allowlist(...)`. If a user is constructing serializers/checkpointers manually (or using a checkpointer that does not support allowlist propagation), they will need to configure `allowed_msgpack_modules` themselves.\n\n### Operational guidance\n- Treat checkpoint stores as integrity-sensitive. Restrict write access and rotate credentials if compromise is suspected.\n- Enable strict mode (`LANGGRAPH_STRICT_MSGPACK=true`) in production if feasible, and rely on schema-driven allowlisting to reduce incompatibilities.\n- Avoid providing custom msgpack deserialization hooks that reconstruct arbitrary types unless checkpoint data is fully trusted.\n\n## Limitations / important notes\n- If a checkpointer implementation does **not** support allowlist application (i.e., does not implement `with_allowlist`), allowlist enforcement may be skipped (with a warning). In that situation, strict expectations may not hold.\n- If an application supplies a custom msgpack unpack hook (`ext_hook`), the custom hook controls reconstruction and can bypass the default allowlist checks (intentional escape hatch, but it weakens the protection).\n\n## LangSmith / hosted deployments note\nLangSmith is not aware of this issue presenting risk to existing LangSmith-hosted deployments. The described threat model requires an attacker to tamper with the checkpoint persistence layer used by the deployment; typical hosted configurations are designed to prevent such access.\n\nFirst reported by:  yardenporat353",
  "id": "GHSA-g48c-2wqr-h844",
  "modified": "2026-03-09T13:19:59Z",
  "published": "2026-03-05T20:19:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/langchain-ai/langgraph/security/advisories/GHSA-g48c-2wqr-h844"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28277"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/langchain-ai/langgraph"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "LangGraph checkpoint loading has unsafe msgpack deserialization"
}

FKIE_CVE-2026-28277

Vulnerability from fkie_nvd - Published: 2026-03-05 20:16 - Updated: 2026-04-21 15:14

Severity ?

6.8 (Medium) - CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/langchain-ai/langgraph/security/advisories/GHSA-g48c-2wqr-h844	Vendor Advisory, Mitigation

Impacted products

	Vendor	Product	Version
	langchain	langgraph	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:langchain:langgraph:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "03EAA519-9C97-43CB-814B-DDDA61441C87",
              "versionEndIncluding": "1.0.9",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). In version 1.0.9 and prior, LangGraph checkpointers can load msgpack-encoded checkpoints that reconstruct Python objects during deserialization. If an attacker can modify checkpoint data in the backing store (for example, after a database compromise or other privileged write access to the persistence layer), they can potentially supply a crafted payload that triggers unsafe object reconstruction when the checkpoint is loaded. No known patch is public."
    },
    {
      "lang": "es",
      "value": "LangGraph SQLite Checkpoint es una implementaci\u00f3n de LangGraph CheckpointSaver que utiliza una base de datos SQLite (tanto s\u00edncrona como as\u00edncrona, a trav\u00e9s de aiosqlite). En la versi\u00f3n 1.0.9 y anteriores, los checkpointers de LangGraph pueden cargar checkpoints codificados en msgpack que reconstruyen objetos Python durante la deserializaci\u00f3n. Si un atacante puede modificar los datos del checkpoint en el almac\u00e9n de respaldo (por ejemplo, despu\u00e9s de un compromiso de la base de datos u otro acceso de escritura privilegiado a la capa de persistencia), pueden suministrar potencialmente una carga \u00fatil manipulada que desencadene una reconstrucci\u00f3n insegura de objetos cuando se carga el checkpoint. No se conoce ning\u00fan parche p\u00fablico."
    }
  ],
  "id": "CVE-2026-28277",
  "lastModified": "2026-04-21T15:14:55.870",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 0.9,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-03-05T20:16:15.677",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory",
        "Mitigation"
      ],
      "url": "https://github.com/langchain-ai/langgraph/security/advisories/GHSA-g48c-2wqr-h844"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-28277 (GCVE-0-2026-28277)

GHSA-G48C-2WQR-H844

Affected users / systems

Impact

Exploitation scenario (high level)

Mitigation / remediation

Strict mode (environment variable)

allowed_msgpack_modules (serializer/checkpointer config)

Built-in safe set

Automatically derived allowlist (only when compiling graphs)

Operational guidance

Limitations / important notes

LangSmith / hosted deployments note

FKIE_CVE-2026-28277

Tags

Sightings

Nomenclature

`allowed_msgpack_modules` (serializer/checkpointer config)