LangGraph Checkpoint MongoDB CVE-2026-48121
MEDIUMSeverity by source
AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
AV:N because attack arrives via HTTP API; PR:L because tenant authentication is required; UI:N since no additional interaction needed beyond submitting the malicious request; C:H for cross-tenant disclosure; I:L since write paths are also unvalidated but primary confirmed impact is read.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
A NoSQL injection vulnerability existed in MongoDBSaver where checkpoint identifier fields from config.configurable were used in MongoDB queries without strict type enforcement. In vulnerable versions, attacker-controlled object payloads (for example MongoDB operators like $gt and $ne) could be interpreted as query operators instead of literal identifier values.
This could bypass intended thread scoping and return checkpoints from other tenants.
Attack surface
The vulnerable path was in MongoDBSaver.getTuple(), where thread_id, checkpoint_ns, and checkpoint_id were used in MongoDB find() queries. The same unvalidated values were then reused to fetch pending writes.
Applications were exposed when untrusted input was forwarded into config.configurable (for example, directly from request bodies or query parameters) without string coercion or schema validation.
Who is affected?
Applications are vulnerable if they:
- Use
@langchain/langgraph-checkpoint-mongodbwith multi-tenant or user-isolated thread models. - Accept user-controlled values for
thread_id,checkpoint_ns, orcheckpoint_id. - Pass those values into
app.invoke(),app.stream(), or direct saver methods without validation.
Applications are generally not vulnerable if they:
- Use server-issued identifiers only.
- Source
thread_idfrom trusted URL params that remain strings. - Enforce schema validation that rejects non-string identifier fields.
Impact
An attacker with control over configurable checkpoint identifiers could read checkpoint data outside their authorized thread boundary.
Potentially exposed data includes:
- Checkpoint state
- Metadata
- Pending writes
This is a confidentiality issue with cross-tenant data disclosure risk.
Exploit example
An attacker-controlled request can inject MongoDB operators:
graph = new StateGraph(...)
.compile({
checkpointer: new MongoDBSaver()
});
graph.invoke(..., {
configurable: {
"thread_id": { "$gt": "" },
"checkpoint_ns": { "$ne": null }
}
});If this payload is forwarded into config.configurable, the resulting query may match checkpoints outside the intended tenant/thread scope.
Security hardening changes
Version 1.3.1 hardens @langchain/langgraph-checkpoint-mongodb by adding runtime validation for configurable checkpoint identifiers and rejecting invalid values before MongoDB query/write paths execute.
The patch also includes regression tests covering object/operator payloads across affected methods.
Migration guide
Upgrade to @langchain/langgraph-checkpoint-mongodb@1.3.1 or later.
No API migration is required for valid callers. However, applications that currently pass non-string identifier values in config.configurable will now receive explicit errors and should normalize/validate inputs.
As defense in depth, validate identifier fields at API boundaries and avoid passing raw client objects into graph config.
Resources
- Issue: https://github.com/langchain-ai/langgraphjs/issues/2351
- Fix PR: https://github.com/langchain-ai/langgraphjs/pull/2397
AnalysisAI
{"$gt": ""}`) to be interpreted as query logic rather than literal values. No public exploit is independently catalogued (KEV not listed), but a proof-of-concept TypeScript payload is included in the vendor advisory, and EPSS sits at 0.03% (8th percentile), indicating low observed exploitation activity at time of analysis.
Technical ContextAI
The affected package is @langchain/langgraph-checkpoint-mongodb (npm), the MongoDB-backed persistence adapter for LangGraph's TypeScript SDK. LangGraph threads maintain stateful execution checkpoints stored in MongoDB collections; the MongoDBSaver class serializes and retrieves these checkpoints keyed by thread_id, checkpoint_ns, and checkpoint_id. The root cause is CWE-943 (Improper Neutralization of Special Elements in Data Query Logic - NoSQL), specifically the absence of strict type coercion before these identifier values are interpolated as MongoDB query filter fields. Because MongoDB's Node.js driver accepts plain JavaScript objects as query filter values, supplying { "$gt": "" } for thread_id is syntactically valid and causes the driver to evaluate it as a range comparison rather than an equality match. The same unvalidated identifiers were also reused in write paths for pending writes. The CPE identifier is pkg:npm/@langchain/langgraph-checkpoint-mongodb with affected range <= 1.3.0.
RemediationAI
Upgrade to @langchain/langgraph-checkpoint-mongodb@1.3.1 immediately; this is the vendor-released patch (confirmed via commit 284226c7ca164b3c81fe2d9e32b10f1fc6b99a3c and PR #2397 at https://github.com/langchain-ai/langgraphjs/pull/2397). The patch introduces a getStringConfigValue() runtime validation function that rejects non-string identifier values with an explicit error before any MongoDB query or write executes. No API changes are required for callers already using valid string identifiers. Applications passing non-string values will now receive runtime errors and must normalize inputs accordingly. As a compensating control prior to patching, enforce strict schema validation at API boundaries (e.g., using Zod or similar) to reject any thread_id, checkpoint_ns, or checkpoint_id value that is not a plain string - this prevents object-type operator payloads from reaching config.configurable. Additionally, avoid passing raw request body objects directly into app.invoke() or app.stream() config; instead, explicitly extract and coerce identifier strings from client input before constructing the configurable object.
More in Checkpoint
View allbackend/comics/comics-document.c (aka the comic book backend) in GNOME Evince before 3.24.1 allows remote attackers to e
The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data
PyTorch is a Python package that provides tensor computation. [CVSS 8.8 HIGH]
Check Point ZoneAlarm Extreme Security before 15.8.211.19229 allows local users to escalate privileges. Rated high sever
Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the inte
Remote code execution in PyTorch Lightning through 2.6.5 allows an attacker who can get a victim to load a malicious che
Check Point Endpoint Security Initial Client for Windows before version E81.30 tries to load a DLL placed in any PATH lo
A hard-link created from log file archive of Check Point ZoneAlarm up to 15.4.062 or Check Point Endpoint Security clien
Multiple unspecified vulnerabilities in Check Point Security Gateway 80 R71.x before R71.45 (730159141) and R75.20.x bef
Arbitrary code execution via torch-checkpoint-shrink.py script in ml-engineering project allows remote attackers to exec
Check Point Endpoint Security Client for Windows, with the VPN blade, before version E80.83, starts a process without us
Arbitrary code execution in Snorkel machine learning library (≤v0.10.0) occurs when users load malicious model checkpoin
Same technique Nosql Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-98xf-r82g-9mhx