CVE-2026-27022 Overview
A query injection vulnerability has been identified in the @langchain/langgraph-checkpoint-redis package, which serves as the Redis checkpoint and store implementation for LangGraph. The vulnerability exists in the filter handling mechanism of the RedisSaver and ShallowRedisSaver classes, where RediSearch queries are constructed by directly interpolating user-provided filter keys and values without proper escaping. When user-controlled data contains RediSearch special syntax characters, attackers can manipulate query logic to bypass intended access controls.
Critical Impact
Attackers can exploit this query injection vulnerability to bypass access controls and potentially access unauthorized data through manipulated RediSearch queries.
Affected Products
- @langchain/langgraph-checkpoint-redis versions prior to 1.0.2
- LangGraph applications using vulnerable Redis checkpoint implementations
- Systems utilizing RedisSaver or ShallowRedisSaver classes with user-provided filters
Discovery Timeline
- 2026-02-20 - CVE CVE-2026-27022 published to NVD
- 2026-02-23 - Last updated in NVD database
Technical Details for CVE-2026-27022
Vulnerability Analysis
This vulnerability falls under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and represents a classic injection flaw in the context of RediSearch query construction. The RedisSaver and ShallowRedisSaver classes fail to properly sanitize user-provided filter keys and values before incorporating them into RediSearch queries.
RediSearch uses specific syntax characters to control query behavior, including operators for field matching, logical operations, and special value handling. When these characters appear in user-controlled input without proper escaping, they become part of the query syntax rather than literal values, allowing attackers to alter the intended query logic.
The attack surface is network-accessible and requires low privileges, making it exploitable by authenticated users who can supply filter parameters to the affected classes. Successful exploitation results in unauthorized access to checkpoint data, potentially exposing sensitive application state information stored in Redis.
Root Cause
The root cause is insufficient input sanitization in the filter handling code path. The RedisSaver and ShallowRedisSaver classes directly interpolate user-provided filter parameters into RediSearch query strings without escaping RediSearch special characters. This allows attackers to inject arbitrary query syntax that modifies the intended query behavior.
Attack Vector
The vulnerability is exploitable over the network by any authenticated user who can provide filter parameters to the checkpoint retrieval functions. An attacker can craft malicious filter values containing RediSearch syntax characters to modify query logic and bypass access controls designed to restrict data visibility.
The fix introduces a new utility function escapeRediSearchTagValue that properly sanitizes filter values before query construction:
} from "@langchain/langgraph-checkpoint";
import { RunnableConfig } from "@langchain/core/runnables";
import { createClient, createCluster } from "redis";
+import { escapeRediSearchTagValue } from "./utils.js";
// Type for Redis client - supports both standalone and cluster
export type RedisClientType =
Source: GitHub Commit Update
Additionally, input validation was strengthened in the MongoDB checkpoint implementation to prevent similar operator injection attacks:
if (filter) {
Object.entries(filter).forEach(([key, value]) => {
+ // Prevent MongoDB operator injection - only allow primitive values
+ if (value !== null && typeof value === "object") {
+ throw new Error(
+ `Invalid filter value for key "${key}": filter values must be primitives (string, number, boolean, or null)`
+ );
+ }
query[`metadata.${key}`] = value;
});
}
Source: GitHub Commit Update
Detection Methods for CVE-2026-27022
Indicators of Compromise
- Unusual or malformed filter parameters in checkpoint query requests containing RediSearch special characters (e.g., @, |, -, *, (, ))
- Unexpected access patterns to checkpoint data that bypass normal access control boundaries
- Redis query logs showing unusual query syntax or unexpected field access patterns
Detection Strategies
- Implement application-level logging for all filter parameters passed to RedisSaver and ShallowRedisSaver operations
- Monitor for filter values containing RediSearch syntax characters that may indicate injection attempts
- Review Redis slow query logs for unusual or complex query patterns that deviate from normal application behavior
- Deploy web application firewall rules to detect common injection patterns in API request parameters
Monitoring Recommendations
- Enable verbose logging on Redis instances to capture all executed queries for forensic analysis
- Implement anomaly detection for checkpoint data access patterns to identify potential unauthorized access
- Set up alerts for failed or unexpected checkpoint retrieval operations that may indicate exploitation attempts
How to Mitigate CVE-2026-27022
Immediate Actions Required
- Upgrade @langchain/langgraph-checkpoint-redis to version 1.0.2 or later immediately
- Audit application code for any custom filter handling that may have similar vulnerabilities
- Review Redis access logs for any evidence of past exploitation attempts
- Implement input validation at the application layer as an additional defense
Patch Information
The vulnerability has been fixed in @langchain/langgraph-checkpoint-redis version 1.0.2. The patch introduces the escapeRediSearchTagValue utility function that properly sanitizes filter values before they are incorporated into RediSearch queries. Organizations should upgrade to this version as soon as possible.
For detailed technical information about the fix, see the GitHub Security Advisory, GitHub Pull Request, and the release notes for version 1.0.2.
Workarounds
- If immediate upgrade is not possible, implement custom input validation to reject filter values containing RediSearch special characters (@, |, -, *, (, ), {, }, [, ], \)
- Restrict access to checkpoint query functionality to trusted users only until the patch can be applied
- Consider implementing a proxy layer that sanitizes filter parameters before they reach the vulnerable code
# Upgrade to patched version
npm update @langchain/langgraph-checkpoint-redis@1.0.2
# Verify installed version
npm list @langchain/langgraph-checkpoint-redis
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
