CVE-2026-27794 Overview
A Remote Code Execution vulnerability exists in LangGraph's caching layer due to insecure deserialization when applications enable cache backends that inherit from BaseCache and opt nodes into caching via CachePolicy. Prior to langgraph-checkpoint version 4.0.0, BaseCache defaults to JsonPlusSerializer(pickle_fallback=True), which allows cached values to be deserialized via pickle.loads(...) when msgpack serialization fails. This creates a dangerous attack surface where an attacker with write access to the cache backend can inject malicious serialized objects that execute arbitrary code when deserialized by the LangGraph process.
Critical Impact
Attackers with write access to cache backends (Redis, SQLite, or shared cache infrastructure) can achieve Remote Code Execution by injecting malicious pickle-serialized payloads into the cache layer.
Affected Products
- LangGraph Checkpoint versions prior to 4.0.0
- LangGraph Checkpoint Postgres versions prior to 3.0.3
- Applications using BaseCache implementations with CachePolicy enabled nodes
Discovery Timeline
- February 25, 2026 - CVE-2026-27794 published to NVD
- February 25, 2026 - Last updated in NVD database
Technical Details for CVE-2026-27794
Vulnerability Analysis
This vulnerability represents a classic insecure deserialization flaw (CWE-502) within the LangGraph checkpoint caching mechanism. The core issue stems from the JsonPlusSerializer class defaulting to pickle_fallback=True, which enables Python's native pickle serialization as a fallback when the primary msgpack serialization fails.
Python's pickle module is inherently unsafe when deserializing untrusted data, as it can execute arbitrary Python code during the deserialization process. The attack requires specific conditions to be exploited: the application must explicitly enable a cache backend by passing cache=... to StateGraph.compile(...) or by configuring a BaseCache implementation, and one or more nodes must opt into caching via CachePolicy.
The exploitation scenario involves an attacker gaining write access to the cache storage layer—whether through a network-accessible Redis instance with weak or no authentication, shared cache infrastructure accessible by other tenants or services, or a writable SQLite cache file with permissive file permissions. Once the attacker can write controlled bytes to the cache, the LangGraph process will read and deserialize them, triggering arbitrary code execution.
Root Cause
The root cause is the default configuration of JsonPlusSerializer(pickle_fallback=True) in the BaseCache implementation. This design decision prioritizes serialization flexibility over security by allowing pickle deserialization as a fallback mechanism. When msgpack fails to serialize certain Python objects, the system falls back to pickle, which can deserialize arbitrary Python bytecode. The fix in version 4.0.0 changes this default to disable the pickle fallback, requiring explicit opt-in for applications that need pickle serialization.
Attack Vector
The attack vector is network-based but requires elevated privileges, as the attacker must have write access to the cache backend. This positions the vulnerability as a post-compromise or post-access escalation vector rather than an initial access technique.
Typical attack scenarios include:
- Compromised Redis Instance: A network-accessible Redis cache with weak or missing authentication allows attackers to write malicious pickle payloads directly to cached keys
- Multi-tenant Environment: Shared cache infrastructure where one tenant can write to cache keys that another tenant's LangGraph process will deserialize
- Local File Access: Writable SQLite cache files with permissive file permissions or shared writable volumes enable local attackers to inject payloads
The attack flow involves crafting a malicious pickle payload containing code to execute, writing this payload to the cache backend under a key that will be accessed by the target LangGraph process, and waiting for the application to read and deserialize the cached value, triggering code execution.
[[package]]
name = "langgraph-checkpoint"
-version = "3.0.1"
+version = "4.0.0"
source = { editable = "../checkpoint" }
dependencies = [
{ name = "langchain-core" },
Source: GitHub Commit
Detection Methods for CVE-2026-27794
Indicators of Compromise
- Unexpected pickle-serialized objects appearing in cache backends (Redis, SQLite, or other BaseCache implementations)
- Anomalous write operations to cache keys from unauthorized sources or IP addresses
- Process spawning or network connections originating from LangGraph application processes that are inconsistent with normal behavior
- Python pickle magic bytes (\\x80\\x04\\x95 for protocol 4) in cache entries where msgpack serialization is expected
Detection Strategies
- Monitor cache backend access logs for unauthorized write operations, particularly from external or untrusted sources
- Implement content inspection on cache writes to detect pickle-serialized payloads when msgpack is expected
- Deploy network segmentation and authentication monitoring for Redis and other networked cache services
- Enable application-level logging for deserialization events, particularly when pickle fallback is triggered
Monitoring Recommendations
- Configure alerting for any pickle deserialization events in LangGraph applications using the legacy BaseCache configuration
- Monitor for unusual process behavior (network connections, file system access, subprocess creation) from LangGraph worker processes
- Implement anomaly detection for cache access patterns to identify potential injection attempts
- Review authentication logs for cache backends to detect credential compromise or brute-force attempts
How to Mitigate CVE-2026-27794
Immediate Actions Required
- Upgrade langgraph-checkpoint to version 4.0.0 or later immediately
- Audit all cache backend configurations for proper authentication and network isolation
- Review file permissions on SQLite cache files to ensure they are not world-writable
- Verify that Redis instances and other networked caches require strong authentication and are not exposed to untrusted networks
Patch Information
LangGraph Checkpoint version 4.0.0 patches this vulnerability by changing the default serializer configuration to disable pickle fallback. The fix is documented in GitHub Pull Request #6677 and the GitHub Security Advisory GHSA-mhr3-j7m5-c7c9.
For langgraph-checkpoint-postgres users, upgrade to version 3.0.3 or later, which updates the dependency constraint to allow langgraph-checkpoint>=2.1.2,<5.0.0.
Workarounds
- If upgrading is not immediately possible, explicitly configure JsonPlusSerializer(pickle_fallback=False) in your cache backend configuration
- Restrict network access to cache backends using firewall rules and ensure Redis instances require authentication
- For SQLite cache files, ensure restrictive file permissions (e.g., chmod 600) and avoid shared writable volumes
- Consider disabling caching entirely by not passing cache=... to StateGraph.compile(...) until the upgrade can be applied
# Verify langgraph-checkpoint version
pip show langgraph-checkpoint | grep Version
# Upgrade to patched version
pip install --upgrade langgraph-checkpoint>=4.0.0
# For postgres checkpoint users
pip install --upgrade langgraph-checkpoint-postgres>=3.0.3
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
