CVE-2026-48121: LangGraph MongoDB: NoSQL injection leaks tenant checkpoints

## Summary A NoSQL injection vulnerability existed in `MongoDBSaver` where checkpoint identifier fields from `config.configurable` were used in MongoDB queries without strict type enforcement. In vulnerable versions, attacker-controlled object payloads (for example MongoDB operators like `$gt` and `$ne`) could be interpreted as query operators instead of literal identifier values. This could bypass intended thread scoping and return checkpoints from other tenants. ## Attack surface The vulnerable path was in `MongoDBSaver.getTuple()`, where `thread_id`, `checkpoint_ns`, and `checkpoint_id` were used in MongoDB `find()` queries. The same unvalidated values were then reused to fetch pending writes. Applications were exposed when untrusted input was forwarded into `config.configurable` (for example, directly from request bodies or query parameters) without string coercion or schema validation. ## Who is affected? Applications are vulnerable if they: - Use `@langchain/langgraph-checkpoint-mongodb` with multi-tenant or user-isolated thread models. - Accept user-controlled values for `thread_id`, `checkpoint_ns`, or `checkpoint_id`. - Pass those values into `app.invoke()`, `app.stream()`, or direct saver methods without validation. Applications are generally not vulnerable if they: - Use server-issued identifiers only. - Source `thread_id` from trusted URL params that remain strings. - Enforce schema validation that rejects non-string identifier fields. ## Impact An attacker with control over configurable checkpoint identifiers could read checkpoint data outside their authorized thread boundary. Potentially exposed data includes: - Checkpoint state - Metadata - Pending writes This is a confidentiality issue with cross-tenant data disclosure risk. ## Exploit example An attacker-controlled request can inject MongoDB operators: ```ts graph = new StateGraph(...) .compile({ checkpointer: new MongoDBSaver() }); graph.invoke(..., { configurable: { "thread_id": { "$gt": "" }, "checkpoint_ns": { "$ne": null } } }); ``` If this payload is forwarded into `config.configurable`, the resulting query may match checkpoints outside the intended tenant/thread scope. ## Security hardening changes Version `1.3.1` hardens `@langchain/langgraph-checkpoint-mongodb` by adding runtime validation for configurable checkpoint identifiers and rejecting invalid values before MongoDB query/write paths execute. The patch also includes regression tests covering object/operator payloads across affected methods. ## Migration guide Upgrade to `@langchain/langgraph-checkpoint-mongodb@1.3.1` or later. No API migration is required for valid callers. However, applications that currently pass non-string identifier values in `config.configurable` will now receive explicit errors and should normalize/validate inputs. As defense in depth, validate identifier fields at API boundaries and avoid passing raw client objects into graph config. ## Resources - Issue: https://github.com/langchain-ai/langgraphjs/issues/2351 - Fix PR: https://github.com/langchain-ai/langgraphjs/pull/2397

An attacker registered as a standard user on a multi-tenant LangGraph-based AI agent platform crafts an API request to the agent invocation endpoint. Instead of passing a valid string `thread_id`, they supply a JSON body with `{"thread_id": {"$gt": ""}, "checkpoint_ns": {"$ne": null}}`. The backend forwards this payload directly into `config.configurable` without type coercion. `MongoDBSaver.getTuple()` constructs a `find()` query using these operator payloads, causing MongoDB to return the first matching checkpoint across all tenants rather than the attacker's scoped thread. The attacker receives another user's full agent checkpoint state — including conversation history, intermediate tool results, and any sensitive data embedded in the state graph — with no privilege escalation required beyond their existing authenticated session.