CVE-2026-48775: LangGraph deserialization RCE at

CISO Take

LangGraph's SQLite checkpoint backend (versions ≤4.1.0) allows arbitrary Python object reconstruction at checkpoint load time via JsonPlusSerializer, enabling code execution if checkpoint data at rest can be modified by an unauthorized party. While exploitation requires write access to the SQLite backing store — a serious incident in its own right — the vulnerability escalates that foothold into full application-level RCE, dramatically compounding blast radius in agentic pipelines where checkpoints persist tool-call state, intermediate outputs, and potentially in-flight credentials. There is no public exploit and this is not in CISA KEV, but LangGraph's broad adoption in production agent frameworks warrants prompt action. Upgrade to langgraph-checkpoint-sqlite 4.1.1 and immediately audit file-system ACLs on all SQLite checkpoint stores.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Medium severity (CVSS 6.8) with constrained exploitability: adjacent network access and high privileges are required, materially narrowing the attack surface. However, in agentic AI deployments the checkpoint store often resides on shared infrastructure where lateral movement from a single compromised sidecar or co-located service can grant the necessary write access. The real risk is privilege escalation — converting an already-significant storage compromise into guaranteed code execution inside the LangGraph runtime, including access to any secrets or API tokens the agent holds in memory.

How does the attack unfold?

Storage Access

Attacker obtains write access to the SQLite checkpoint file via misconfigured file permissions, path traversal in a co-located service, or lateral movement from a compromised container on shared infrastructure.

AML.T0037

Payload Injection

Attacker overwrites a checkpoint entry with a crafted JSON payload embedding a malicious Python object whose __reduce__ method executes an OS command upon deserialization.

AML.T0080.000

Code Execution

LangGraph agent resumes from the poisoned checkpoint; JsonPlusSerializer reconstructs the malicious object and triggers arbitrary code execution within the application runtime process.

AML.T0050

Impact

Attacker gains persistent code execution with the agent process's privileges, enabling exfiltration of LLM API keys and tool credentials, lateral movement to downstream AI services, and backdoor installation.

AML.T0112

Storage Access

Attacker obtains write access to the SQLite checkpoint file via misconfigured file permissions, path traversal in a co-located service, or lateral movement from a compromised container on shared infrastructure.

AML.T0037

Payload Injection

Attacker overwrites a checkpoint entry with a crafted JSON payload embedding a malicious Python object whose __reduce__ method executes an OS command upon deserialization.

AML.T0080.000

Code Execution

LangGraph agent resumes from the poisoned checkpoint; JsonPlusSerializer reconstructs the malicious object and triggers arbitrary code execution within the application runtime process.

AML.T0050

Impact

Attacker gains persistent code execution with the agent process's privileges, enabling exfiltration of LLM API keys and tool credentials, lateral movement to downstream AI services, and backdoor installation.

AML.T0112

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
LangGraph	pip	—	No patch
34.7K 3.3K dependents Pushed 2d ago 89% patched ~3d to patch Full package profile →

Do you use LangGraph? You're affected.

How severe is it?

CVSS 3.1

6.8 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Adjacent

AC Low

PR High

UI None

S Unchanged

C High

I High

A High

What should I do?

5 steps

Upgrade langgraph-checkpoint-sqlite to 4.1.1 immediately — this is a targeted patch with no breaking API changes.
Restrict file-system permissions on SQLite checkpoint files to the minimum necessary service account; revoke group/world write bits.
For higher-assurance environments, migrate to a checkpoint backend with stronger access controls (e.g., PostgreSQL with row-level security).
Monitor for anomalous child process spawns or unexpected outbound connections from LangGraph worker processes as a detection signal.
If immediate patching is blocked, disable checkpoint persistence entirely or run the deserialization step in a sandboxed subprocess with no network access.

How is it classified?

Code Execution Supply Chain Framework Agent AML.T0011.000 - Unsafe AI Artifacts AML.T0037 - Data from Local System AML.T0050 - Command and Scripting Interpreter AML.T0080.000 - Memory

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.3 - AI system security

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM04 - Data and Model Poisoning

Frequently Asked Questions

What is CVE-2026-48775?

LangGraph's SQLite checkpoint backend (versions ≤4.1.0) allows arbitrary Python object reconstruction at checkpoint load time via JsonPlusSerializer, enabling code execution if checkpoint data at rest can be modified by an unauthorized party. While exploitation requires write access to the SQLite backing store — a serious incident in its own right — the vulnerability escalates that foothold into full application-level RCE, dramatically compounding blast radius in agentic pipelines where checkpoints persist tool-call state, intermediate outputs, and potentially in-flight credentials. There is no public exploit and this is not in CISA KEV, but LangGraph's broad adoption in production agent frameworks warrants prompt action. Upgrade to langgraph-checkpoint-sqlite 4.1.1 and immediately audit file-system ACLs on all SQLite checkpoint stores.

Is CVE-2026-48775 actively exploited?

No confirmed active exploitation of CVE-2026-48775 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-48775?

1. Upgrade langgraph-checkpoint-sqlite to 4.1.1 immediately — this is a targeted patch with no breaking API changes. 2. Restrict file-system permissions on SQLite checkpoint files to the minimum necessary service account; revoke group/world write bits. 3. For higher-assurance environments, migrate to a checkpoint backend with stronger access controls (e.g., PostgreSQL with row-level security). 4. Monitor for anomalous child process spawns or unexpected outbound connections from LangGraph worker processes as a detection signal. 5. If immediate patching is blocked, disable checkpoint persistence entirely or run the deserialization step in a sandboxed subprocess with no network access.

What systems are affected by CVE-2026-48775?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, stateful LLM applications, multi-turn conversational agents, agentic pipelines.

What is the CVSS score for CVE-2026-48775?

CVE-2026-48775 has a CVSS v3.1 base score of 6.8 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

agent frameworksstateful LLM applicationsmulti-turn conversational agentsagentic pipelines

MITRE ATLAS Techniques

AML.T0011.000 Unsafe AI Artifacts

AML.T0037 Data from Local System

AML.T0050 Command and Scripting Interpreter

AML.T0080.000 Memory

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.1.3

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM04

What are the technical details?

Original Advisory

LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). In versions 4.1.0 and prior, the JsonPlusSerializer can reconstruct Python objects from JSON checkpoint payloads. Under conditions where someone could modify checkpoint bytes at rest in the backing store, the deserialization path could reconstruct objects beyond what the application expects, which could in turn result in code execution at checkpoint load time. This is a defense-in-depth issue. The affected behavior is reachable only when checkpoint bytes at rest in the backing store can be modified by an unauthorized party. In most deployments that prerequisite already implies a serious incident; the additional concern is turning "checkpoint-store write access" into code execution in the application runtime. This issue has been fixed in version 4.1.1.

Exploitation Scenario

An attacker with write access to the SQLite checkpoint file — obtained via path traversal in a co-located service, misconfigured shared NFS/EFS storage, or lateral movement from a compromised container — crafts a malicious JSON checkpoint payload embedding a Python class that invokes os.system() or subprocess.Popen() via its __reduce__ method. When the LangGraph application next resumes from that checkpoint, JsonPlusSerializer reconstructs the object, triggering OS command execution in the agent process. The attacker gains a reverse shell with the agent's runtime permissions, including mounted secrets, LLM provider API keys, and credentials for any tools the agent has been granted access to.

Weaknesses (CWE)

CWE-502 Deserialization of Untrusted Data Primary CWE-913 Improper Control of Dynamically-Managed Code Resources Primary

CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

[Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
[Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Source: MITRE CWE corpus.