CVE-2026-27794

Name of the Vulnerable Software and Affected Versions LangGraph versions prior to 4.0.0

Description A Remote Code Execution issue exists in LangGraph's caching layer when applications enable cache backends inheriting from BaseCache and opt nodes into caching via CachePolicy. Prior to version 4.0.0, BaseCache defaults to JsonPlusSerializer(pickle fallback=True). When msgpack serialization fails, cached values can be deserialized using pickle.loads(...). Exploitation requires write access to the cache backend, such as a network-accessible Redis instance with weak or no authentication, shared cache infrastructure, or a writable SQLite cache file. An attacker must be able to write attacker-controlled bytes into the cache backend, which the LangGraph process later reads and deserializes. This is considered a post-compromise/post-access escalation vector. The issue is resolved in langgraph-checkpoint version 4.0.0 by disabling pickle fallback by default (pickle fallback=False).

Recommendations Upgrade to langgraph-checkpoint version 4.0.0 or later.