When the Agent Framework Is the Vulnerability
Check Point Research disclosed a critical vulnerability chain in LangGraph — the open-source AI agent framework developed by the creators of LangChain. With 46.5 million monthly downloads, LangGraph powers enterprise automation, customer support systems, and internal business applications across thousands of production deployments. The vulnerability chain allows attackers to achieve full remote code execution on self-hosted LangGraph servers.
The chain combines two vulnerabilities: CVE-2025-67644, a SQL injection in the SQLite checkpointer, and CVE-2026-28277, an unsafe msgpack deserialization. A third vulnerability (CVE-2026-27022) introduces the same injection class into the Redis checkpointer. The attack requires user-controlled input reaching the checkpointer — a condition that is met by default in most AI agent deployments where the agent processes external queries.
What the Attacker Gets
A compromised LangGraph server gives the attacker access to everything the AI agent can reach. LLM API keys — OpenAI, Anthropic, Google — stored in environment variables. Customer conversation histories stored in the checkpointer database. Credentials for connected external systems: CRMs, internal APIs, databases, payment processors. The AI agent's broad access permissions become the attacker's broad access permissions.
This is the AI agent security paradox. A useful agent needs access to many systems. That access makes it a high-value target. When the framework managing that access has a SQL injection in its persistence layer, the agent's capabilities become the attacker's capabilities. The more powerful the agent, the more valuable the compromise.
The AI Framework Security Gap
LangGraph is not the first AI framework with critical vulnerabilities. LangChain itself had file exposure and secrets leakage vulnerabilities disclosed in March 2026. The pattern is consistent: AI frameworks are being built at startup speed, prioritizing capability over security, and deployed in production environments where they handle sensitive data and hold privileged credentials.
The web framework industry learned these lessons over two decades — input validation, parameterized queries, secure deserialization. AI agent frameworks are repeating the same mistakes at compressed timescales. A SQL injection in a checkpointer is not a novel attack. It is a solved problem in web frameworks that the AI framework ecosystem has not yet solved.
Framework Choice for AI Infrastructure
Organizations deploying AI agents face a framework choice that mirrors the web framework decision. LangGraph with default SQLite checkpointer has a SQL injection. A custom agent built on FastAPI with parameterized database queries does not. The framework abstractions that make AI agents easy to build also make them easy to exploit when those abstractions have vulnerabilities.
WebPulse's AI-Readiness scoring evaluates how well frameworks serve AI agents. But frameworks also need to be evaluated on how safely they host AI agents. The LangGraph vulnerability chain demonstrates that the hosting framework is as much a part of the AI security posture as the LLM itself. A secure model behind an insecure framework is a secure engine in an unlocked car.
