Skip to main content

LangGraph Checkpoint MongoDB CVE-2026-48121

MEDIUM
Improper Neutralization of Special Elements in Data Query Logic (CWE-943)
2026-06-12 https://github.com/langchain-ai/langgraphjs GHSA-98xf-r82g-9mhx
6.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.7 MEDIUM
AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
vuln.today AI
7.1 HIGH

AV:N because attack arrives via HTTP API; PR:L because tenant authentication is required; UI:N since no additional interaction needed beyond submitting the malicious request; C:H for cross-tenant disclosure; I:L since write paths are also unvalidated but primary confirmed impact is read.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 12, 2026 - 15:51 vuln.today
Analysis Generated
Jun 12, 2026 - 15:51 vuln.today

DescriptionGitHub Advisory

Summary

A NoSQL injection vulnerability existed in MongoDBSaver where checkpoint identifier fields from config.configurable were used in MongoDB queries without strict type enforcement. In vulnerable versions, attacker-controlled object payloads (for example MongoDB operators like $gt and $ne) could be interpreted as query operators instead of literal identifier values.

This could bypass intended thread scoping and return checkpoints from other tenants.

Attack surface

The vulnerable path was in MongoDBSaver.getTuple(), where thread_id, checkpoint_ns, and checkpoint_id were used in MongoDB find() queries. The same unvalidated values were then reused to fetch pending writes.

Applications were exposed when untrusted input was forwarded into config.configurable (for example, directly from request bodies or query parameters) without string coercion or schema validation.

Who is affected?

Applications are vulnerable if they:

  • Use @langchain/langgraph-checkpoint-mongodb with multi-tenant or user-isolated thread models.
  • Accept user-controlled values for thread_id, checkpoint_ns, or checkpoint_id.
  • Pass those values into app.invoke(), app.stream(), or direct saver methods without validation.

Applications are generally not vulnerable if they:

  • Use server-issued identifiers only.
  • Source thread_id from trusted URL params that remain strings.
  • Enforce schema validation that rejects non-string identifier fields.

Impact

An attacker with control over configurable checkpoint identifiers could read checkpoint data outside their authorized thread boundary.

Potentially exposed data includes:

  • Checkpoint state
  • Metadata
  • Pending writes

This is a confidentiality issue with cross-tenant data disclosure risk.

Exploit example

An attacker-controlled request can inject MongoDB operators:

ts
graph = new StateGraph(...)
  .compile({
    checkpointer: new MongoDBSaver()
  });

graph.invoke(..., {
  configurable: {
    "thread_id": { "$gt": "" },
    "checkpoint_ns": { "$ne": null }
  }
});

If this payload is forwarded into config.configurable, the resulting query may match checkpoints outside the intended tenant/thread scope.

Security hardening changes

Version 1.3.1 hardens @langchain/langgraph-checkpoint-mongodb by adding runtime validation for configurable checkpoint identifiers and rejecting invalid values before MongoDB query/write paths execute.

The patch also includes regression tests covering object/operator payloads across affected methods.

Migration guide

Upgrade to @langchain/langgraph-checkpoint-mongodb@1.3.1 or later.

No API migration is required for valid callers. However, applications that currently pass non-string identifier values in config.configurable will now receive explicit errors and should normalize/validate inputs.

As defense in depth, validate identifier fields at API boundaries and avoid passing raw client objects into graph config.

Resources

  • Issue: https://github.com/langchain-ai/langgraphjs/issues/2351
  • Fix PR: https://github.com/langchain-ai/langgraphjs/pull/2397

AnalysisAI

{"$gt": ""}`) to be interpreted as query logic rather than literal values. No public exploit is independently catalogued (KEV not listed), but a proof-of-concept TypeScript payload is included in the vendor advisory, and EPSS sits at 0.03% (8th percentile), indicating low observed exploitation activity at time of analysis.

Technical ContextAI

The affected package is @langchain/langgraph-checkpoint-mongodb (npm), the MongoDB-backed persistence adapter for LangGraph's TypeScript SDK. LangGraph threads maintain stateful execution checkpoints stored in MongoDB collections; the MongoDBSaver class serializes and retrieves these checkpoints keyed by thread_id, checkpoint_ns, and checkpoint_id. The root cause is CWE-943 (Improper Neutralization of Special Elements in Data Query Logic - NoSQL), specifically the absence of strict type coercion before these identifier values are interpolated as MongoDB query filter fields. Because MongoDB's Node.js driver accepts plain JavaScript objects as query filter values, supplying { "$gt": "" } for thread_id is syntactically valid and causes the driver to evaluate it as a range comparison rather than an equality match. The same unvalidated identifiers were also reused in write paths for pending writes. The CPE identifier is pkg:npm/@langchain/langgraph-checkpoint-mongodb with affected range <= 1.3.0.

RemediationAI

Upgrade to @langchain/langgraph-checkpoint-mongodb@1.3.1 immediately; this is the vendor-released patch (confirmed via commit 284226c7ca164b3c81fe2d9e32b10f1fc6b99a3c and PR #2397 at https://github.com/langchain-ai/langgraphjs/pull/2397). The patch introduces a getStringConfigValue() runtime validation function that rejects non-string identifier values with an explicit error before any MongoDB query or write executes. No API changes are required for callers already using valid string identifiers. Applications passing non-string values will now receive runtime errors and must normalize inputs accordingly. As a compensating control prior to patching, enforce strict schema validation at API boundaries (e.g., using Zod or similar) to reject any thread_id, checkpoint_ns, or checkpoint_id value that is not a plain string - this prevents object-type operator payloads from reaching config.configurable. Additionally, avoid passing raw request body objects directly into app.invoke() or app.stream() config; instead, explicitly extract and coerce identifier strings from client input before constructing the configurable object.

CVE-2017-1000083 HIGH POC
7.8 Sep 05

backend/comics/comics-document.c (aka the comic book backend) in GNOME Evince before 3.24.1 allows remote attackers to e

CVE-2024-3568 CRITICAL POC
9.6 Apr 10

The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data

CVE-2026-24747 HIGH POC
8.8 Jan 27

PyTorch is a Python package that provides tensor computation. [CVSS 8.8 HIGH]

CVE-2022-41604 HIGH POC
8.8 Sep 27

Check Point ZoneAlarm Extreme Security before 15.8.211.19229 allows local users to escalate privileges. Rated high sever

CVE-2024-24919 HIGH POC
8.6 May 28

Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the inte

CVE-2026-58659 HIGH POC
8.4 Jul 15

Remote code execution in PyTorch Lightning through 2.6.5 allows an attacker who can get a victim to load a malicious che

CVE-2019-8461 HIGH POC
7.8 Aug 29

Check Point Endpoint Security Initial Client for Windows before version E81.30 tries to load a DLL placed in any PATH lo

CVE-2019-8452 HIGH POC
7.8 Apr 22

A hard-link created from log file archive of Check Point ZoneAlarm up to 15.4.062 or Check Point Endpoint Security clien

CVE-2013-7350 CRITICAL
10.0 Apr 01

Multiple unspecified vulnerabilities in Check Point Security Gateway 80 R71.x before R71.45 (730159141) and R75.20.x bef

CVE-2026-31214 CRITICAL
9.8 May 12

Arbitrary code execution via torch-checkpoint-shrink.py script in ml-engineering project allows remote attackers to exec

CVE-2019-8459 CRITICAL
9.8 Jun 20

Check Point Endpoint Security Client for Windows, with the VPN blade, before version E80.83, starts a process without us

CVE-2026-31222 HIGH
8.8 May 12

Arbitrary code execution in Snorkel machine learning library (≤v0.10.0) occurs when users load malicious model checkpoin

Share

CVE-2026-48121 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy