{"id":"CVE-2026-27794","summary":"LangGraph: BaseCache Deserialization of Untrusted Data may lead to Remote Code Execution","details":"LangGraph Checkpoint defines the base interface for LangGraph checkpointers. Prior to version 4.0.0, a Remote Code Execution vulnerability exists in LangGraph's caching layer when applications enable cache backends that inherit from `BaseCache` and opt nodes into caching via `CachePolicy`. Prior to `langgraph-checkpoint` 4.0.0, `BaseCache` defaults to `JsonPlusSerializer(pickle_fallback=True)`. When msgpack serialization fails, cached values can be deserialized via `pickle.loads(...)`. Caching is not enabled by default. Applications are affected only when the application explicitly enables a cache backend (for example by passing `cache=...` to `StateGraph.compile(...)` or otherwise configuring a `BaseCache` implementation), one or more nodes opt into caching via `CachePolicy`, and the attacker can write to the cache backend (for example a network-accessible Redis instance with weak/no auth, shared cache infrastructure reachable by other tenants/services, or a writable SQLite cache file). An attacker must be able to write attacker-controlled bytes into the cache backend such that the LangGraph process later reads and deserializes them. This typically requires write access to a networked cache (for example a network-accessible Redis instance with weak/no auth or shared cache infrastructure reachable by other tenants/services) or write access to local cache storage (for example a writable SQLite cache file via permissive file permissions or a shared writable volume). Because exploitation requires write access to the cache storage layer, this is a post-compromise / post-access escalation vector. LangGraph Checkpoint 4.0.0 patches the issue.","aliases":["GHSA-mhr3-j7m5-c7c9"],"modified":"2026-04-10T05:37:27.149075Z","published":"2026-02-25T16:53:47.176Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27794.json","cwe_ids":["CWE-502"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/langchain-ai/langgraph/releases/tag/checkpoint%3D%3D4.0.0"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27794.json"},{"type":"ADVISORY","url":"https://github.com/langchain-ai/langgraph/security/advisories/GHSA-mhr3-j7m5-c7c9"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27794"},{"type":"FIX","url":"https://github.com/langchain-ai/langgraph/commit/f91d79d0c86932ded6e3b9f195d5a0bbd5aef99c"},{"type":"FIX","url":"https://github.com/langchain-ai/langgraph/pull/6677"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/langchain-ai/langgraph","events":[{"introduced":"0"},{"fixed":"f91d79d0c86932ded6e3b9f195d5a0bbd5aef99c"}]},{"type":"GIT","repo":"https://github.com/langchain-ai/langgraph","events":[{"introduced":"0"},{"fixed":"f91d79d0c86932ded6e3b9f195d5a0bbd5aef99c"}]}],"versions":["0.1.10","0.1.11","0.1.12","0.1.13","0.1.14","0.1.15","0.1.16","0.1.17","0.1.2","0.1.3","0.1.4","0.1.5","0.1.6","0.1.7","0.1.8","0.1.9","0.2.0","0.2.1","0.2.10","0.2.11","0.2.12","0.2.13","0.2.15","0.2.16","0.2.17","0.2.18","0.2.19","0.2.2","0.2.20","0.2.21","0.2.22","0.2.23","0.2.24","0.2.25","0.2.26","0.2.27","0.2.28","0.2.29","0.2.3","0.2.30","0.2.31","0.2.32","0.2.33","0.2.34","0.2.35","0.2.36","0.2.37","0.2.38","0.2.39","0.2.4","0.2.40","0.2.41","0.2.42","0.2.43","0.2.44","0.2.45","0.2.46","0.2.47","0.2.48","0.2.49","0.2.5","0.2.50","0.2.51","0.2.52","0.2.53","0.2.54","0.2.55","0.2.56","0.2.57","0.2.58","0.2.59","0.2.6","0.2.60","0.2.61","0.2.62","0.2.63","0.2.64","0.2.65","0.2.66","0.2.67","0.2.68","0.2.69","0.2.7","0.2.70","0.2.71","0.2.72","0.2.73","0.2.74","0.2.75","0.2.76","0.2.9","0.3.0","0.3.1","0.3.10","0.3.11","0.3.12","0.3.13","0.3.14","0.3.15","0.3.16","0.3.17","0.3.18","0.3.19","0.3.2","0.3.20","0.3.21","0.3.22","0.3.23","0.3.24","0.3.25","0.3.26","0.3.27","0.3.28","0.3.29","0.3.3","0.3.30","0.3.31","0.3.32","0.3.34","0.3.4","0.3.5","0.3.6","0.3.7","0.3.8","0.4.0","0.4.1","0.4.2","0.4.3","0.4.4","0.4.5","0.4.6","0.4.7","0.5.0","0.5.0rc0","0.5.0rc1","0.5.1","0.5.2","0.5.3","0.5.4","0.6.0","0.6.0a1","0.6.0a2","0.6.1","0.6.10","0.6.2","0.6.3","0.6.4","0.6.5","0.6.6","0.6.7","0.6.8","0.6.9","1.0.0","1.0.0rc1","1.0.1","1.0.2","1.0.3","1.0.4","1.0.5","checkpoint==1.0.0","checkpoint==1.0.1","checkpoint==1.0.10","checkpoint==1.0.11","checkpoint==1.0.12","checkpoint==1.0.13","checkpoint==1.0.14","checkpoint==1.0.2","checkpoint==1.0.3","checkpoint==1.0.4","checkpoint==1.0.7","checkpoint==1.0.8","checkpoint==1.0.9","checkpoint==2.0.0","checkpoint==2.0.1","checkpoint==2.0.10","checkpoint==2.0.12","checkpoint==2.0.13","checkpoint==2.0.14","checkpoint==2.0.15","checkpoint==2.0.16","checkpoint==2.0.17","checkpoint==2.0.18","checkpoint==2.0.19","checkpoint==2.0.2","checkpoint==2.0.20","checkpoint==2.0.21","checkpoint==2.0.22","checkpoint==2.0.23","checkpoint==2.0.24","checkpoint==2.0.25","checkpoint==2.0.26","checkpoint==2.0.3","checkpoint==2.0.4","checkpoint==2.0.5","checkpoint==2.0.6","checkpoint==2.0.7","checkpoint==2.0.8","checkpoint==2.0.9","checkpoint==2.1.0","checkpoint==2.1.1","checkpoint==2.1.2","checkpoint==3.0.0","checkpoint==3.0.1","checkpointduckdb==2.0.0","checkpointduckdb==2.0.1","checkpointduckdb==2.0.2","checkpointpostgres==1.0.0","checkpointpostgres==1.0.1","checkpointpostgres==1.0.10","checkpointpostgres==1.0.11","checkpointpostgres==1.0.2","checkpointpostgres==1.0.3","checkpointpostgres==1.0.4","checkpointpostgres==1.0.5","checkpointpostgres==1.0.6","checkpointpostgres==1.0.7","checkpointpostgres==1.0.8","checkpointpostgres==1.0.9","checkpointpostgres==2.0.0","checkpointpostgres==2.0.1","checkpointpostgres==2.0.10","checkpointpostgres==2.0.11","checkpointpostgres==2.0.12","checkpointpostgres==2.0.13","checkpointpostgres==2.0.14","checkpointpostgres==2.0.15","checkpointpostgres==2.0.16","checkpointpostgres==2.0.17","checkpointpostgres==2.0.18","checkpointpostgres==2.0.19","checkpointpostgres==2.0.2","checkpointpostgres==2.0.20","checkpointpostgres==2.0.21","checkpointpostgres==2.0.22","checkpointpostgres==2.0.23","checkpointpostgres==2.0.24","checkpointpostgres==2.0.25","checkpointpostgres==2.0.3","checkpointpostgres==2.0.4","checkpointpostgres==2.0.5","checkpointpostgres==2.0.6","checkpointpostgres==2.0.7","checkpointpostgres==2.0.8","checkpointpostgres==2.0.9","checkpointpostgres==3.0.0","checkpointpostgres==3.0.1","checkpointpostgres==3.0.2","checkpointsqlite==1.0.0","checkpointsqlite==1.0.1","checkpointsqlite==1.0.2","checkpointsqlite==1.0.3","checkpointsqlite==1.0.4","checkpointsqlite==2.0.0","checkpointsqlite==2.0.1","checkpointsqlite==2.0.10","checkpointsqlite==2.0.11","checkpointsqlite==2.0.2","checkpointsqlite==2.0.3","checkpointsqlite==2.0.4","checkpointsqlite==2.0.5","checkpointsqlite==2.0.6","checkpointsqlite==2.0.7","checkpointsqlite==2.0.8","checkpointsqlite==2.0.9","checkpointsqlite==3.0.0","checkpointsqlite==3.0.1","cli==0.1.40","cli==0.1.41","cli==0.1.42","cli==0.1.44","cli==0.1.45","cli==0.1.45a0","cli==0.1.45a1","cli==0.1.46","cli==0.1.47","cli==0.1.48","cli==0.1.49","cli==0.1.50","cli==0.1.51","cli==0.1.52","cli==0.1.53","cli==0.1.54","cli==0.1.55","cli==0.1.55rc1","cli==0.1.56","cli==0.1.57","cli==0.1.58","cli==0.1.59","cli==0.1.60","cli==0.1.61","cli==0.1.62","cli==0.1.63","cli==0.1.64","cli==0.1.65","cli==0.1.66","cli==0.1.67","cli==0.1.68","cli==0.1.69","cli==0.1.70","cli==0.1.71","cli==0.1.72","cli==0.1.73","cli==0.1.74","cli==0.1.75","cli==0.1.76","cli==0.1.77","cli==0.1.78","cli==0.1.79","cli==0.1.80","cli==0.1.81","cli==0.1.82","cli==0.1.83","cli==0.1.84","cli==0.1.89","cli==0.2.1","cli==0.2.10","cli==0.2.11","cli==0.2.12","cli==0.2.2","cli==0.2.3","cli==0.2.4","cli==0.2.5","cli==0.2.6","cli==0.2.7","cli==0.2.8","cli==0.2.9","cli==0.3.1","cli==0.3.2","cli==0.3.3","cli==0.3.4","cli==0.3.5","cli==0.3.6","cli==0.3.7","cli==0.3.8","cli==0.4.0","cli==0.4.1","cli==0.4.10","cli==0.4.11","cli==0.4.2","cli==0.4.3","cli==0.4.4","cli==0.4.6","cli==0.4.8","cli==0.4.9","langgraph-cli==0.1.39","prebuilt==0.1.0","prebuilt==0.1.1","prebuilt==0.1.2","prebuilt==0.1.3","prebuilt==0.1.4","prebuilt==0.1.5","prebuilt==0.1.6","prebuilt==0.1.7","prebuilt==0.1.8","prebuilt==0.2.0","prebuilt==0.2.1","prebuilt==0.2.2","prebuilt==0.5.0","prebuilt==0.5.0rc0","prebuilt==0.5.1","prebuilt==0.5.2","prebuilt==0.6.0","prebuilt==0.6.0a1","prebuilt==0.6.1","prebuilt==0.6.2","prebuilt==0.6.3","prebuilt==0.6.4","prebuilt==0.7.0rc1","prebuilt==1.0.0","prebuilt==1.0.1","prebuilt==1.0.2","prebuilt==1.0.3","prebuilt==1.0.4","prebuilt==1.0.5","sdk==0.1.23","sdk==0.1.24","sdk==0.1.25","sdk==0.1.26","sdk==0.1.27","sdk==0.1.28","sdk==0.1.29","sdk==0.1.30","sdk==0.1.31","sdk==0.1.32","sdk==0.1.33","sdk==0.1.34","sdk==0.1.35","sdk==0.1.36","sdk==0.1.37","sdk==0.1.38","sdk==0.1.39","sdk==0.1.40","sdk==0.1.42","sdk==0.1.43","sdk==0.1.44","sdk==0.1.45","sdk==0.1.46","sdk==0.1.47","sdk==0.1.48","sdk==0.1.50","sdk==0.1.51","sdk==0.1.53","sdk==0.1.55","sdk==0.1.56","sdk==0.1.57","sdk==0.1.58","sdk==0.1.59","sdk==0.1.60","sdk==0.1.61","sdk==0.1.62","sdk==0.1.63","sdk==0.1.64","sdk==0.1.65","sdk==0.1.66","sdk==0.1.69","sdk==0.1.70","sdk==0.1.71","sdk==0.1.72","sdk==0.1.73","sdk==0.1.74","sdk==0.2.0","sdk==0.2.0a1","sdk==0.2.1","sdk==0.2.10","sdk==0.2.12","sdk==0.2.14","sdk==0.2.15","sdk==0.2.2","sdk==0.2.3","sdk==0.2.4","sdk==0.2.5","sdk==0.2.6","sdk==0.2.7","sdk==0.2.8","sdk==0.2.9","sdk==0.3.0","sdk==0.3.1","sdk==0.3.2","v0.0.3","v0.0.4","v0.0.5","v0.0.6","v0.0.8"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27794.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"}]}