CVE-2026-28277

Name of the Vulnerable Software and Affected Versions LangGraph versions 1.0.9 and earlier

Description LangGraph checkpointers can load msgpack-encoded checkpoints that reconstruct Python objects during deserialization. If an attacker gains privileged write access to the checkpoint data store (e.g., after a database compromise), they could supply a crafted payload that triggers unsafe object reconstruction when the checkpoint is loaded. This is considered a post-exploitation issue, potentially allowing an attacker to escalate from write access to the checkpoint store to code execution within the application runtime, potentially exposing runtime secrets or providing access to other systems. Exploitation requires the ability to write attacker-controlled checkpoint bytes at rest. There is no evidence of exploitation in the wild. The issue can lead to arbitrary code execution or other unsafe side effects during checkpoint deserialization. The vulnerability requires the attacker to be able to modify persisted checkpoint bytes or compromise a trusted component that writes them.

Recommendations Enable strict mode by setting the environment variable LANGGRAPH STRICT MSGPACK to a truthy value (e.g., '1', 'true', 'yes'). Configure the allowed msgpack modules setting to None for strict mode, or to a list of explicitly allowed modules and class names. Restrict write access to checkpoint stores and rotate credentials if a compromise is suspected. Avoid providing custom msgpack deserialization hooks that reconstruct arbitrary types unless checkpoint data is fully trusted.