Skip to main content

LangGraph Checkpoint CVE-2026-48775

| EUVD-2026-37140 MEDIUM
Deserialization of Untrusted Data (CWE-502)
2026-06-16 GitHub_M
Checkpoint Deserialization Python RCE Langgraph Langraph Checkpoint
6.8
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.8 MEDIUM
AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
6.7 MEDIUM

SQLite is a local file resource requiring filesystem write access, so AV:L and PR:H are most precise; code execution yields full CIA impact.

3.1 AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 16, 2026 - 20:02 EUVD
Analysis Generated
Jun 16, 2026 - 19:08 vuln.today
CVE Published
Jun 16, 2026 - 17:53 cve.org
MEDIUM 6.8

DescriptionCVE.org

LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). In versions 4.1.0 and prior, the JsonPlusSerializer can reconstruct Python objects from JSON checkpoint payloads. Under conditions where someone could modify checkpoint bytes at rest in the backing store, the deserialization path could reconstruct objects beyond what the application expects, which could in turn result in code execution at checkpoint load time. This is a defense-in-depth issue. The affected behavior is reachable only when checkpoint bytes at rest in the backing store can be modified by an unauthorized party. In most deployments that prerequisite already implies a serious incident; the additional concern is turning "checkpoint-store write access" into code execution in the application runtime. This issue has been fixed in version 4.1.1.

AnalysisAI

Unsafe deserialization in LangGraph SQLite Checkpoint's JsonPlusSerializer (versions 4.1.0 and prior) allows arbitrary Python object reconstruction from checkpoint payloads stored in a SQLite backing store, enabling code execution at checkpoint load time. Affected deployments are those where an unauthorized party can modify checkpoint bytes at rest - a high-privilege prerequisite (PR:H, AV:A per CVSS) that already implies a significant prior compromise. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain write access to SQLite checkpoint store
Delivery
Craft malicious checkpoint payload with Python object gadget
Exploit
Wait for or trigger application checkpoint load
Execution
JsonPlusSerializer deserializes tampered payload
Persist
Arbitrary code executes in application runtime
Impact
Full process compromise achieved
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that an unauthorized party can modify checkpoint bytes at rest in the SQLite backing store - this is the single critical prerequisite stated explicitly in the CVE description. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS base score of 6.8 with vector AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H accurately reflects the conditional nature of this flaw: the adjacent attack vector and high privilege requirement act as strong limiting factors, even though the CIA impact metrics are maximally scored due to code execution potential. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with write access to the SQLite checkpoint file - whether via a compromised service account, misconfigured file share, or lateral movement within the environment - crafts a malicious checkpoint payload containing a Python object with a destructive __reduce__ method. When the LangGraph application subsequently loads that checkpoint through JsonPlusSerializer, the tampered payload is deserialized and the embedded code executes within the application's runtime context, potentially granting full control of the host process. …
Remediation Vendor-released patch: version 4.1.1. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-47747 HIGH
7.8 Jun 16

Heap-based buffer overflow in stable-diffusion.cpp's pickle .ckpt parser allows attackers to corrupt memory and likely a
CVE-2026-47750 HIGH
7.8 Jun 16

Heap buffer overflow in the leejet stable-diffusion.cpp pickle .ckpt parser allows arbitrary code execution when a user

CVE-2026-47749 HIGH
7.8 Jun 16

Heap buffer overflow in stable-diffusion.cpp versions prior to master-584-0a7ae07 allows attackers to corrupt memory and
CVE-2026-54499 HIGH
7.5 Jun 19

Arbitrary code execution in Stanford NLP's Stanza 1.12.0 (and ≤1.12.1) occurs when the library loads a malicious PyTorch
CVE-2026-47748 MEDIUM
5.5 Jun 16

Out-of-bounds reads in stable-diffusion.cpp's PyTorch pickle checkpoint parser (versions prior to master-584-0a7ae07) al

Share

CVE-2026-48775 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy