CVE-2026-27022

CVE-2026-27022 is a medium-severity security vulnerability in @langchain/langgraph-checkpoint-redis (npm), affecting versions < 1.0.2. It is fixed in 1.0.2.

Summary

A query injection vulnerability exists in the @langchain/langgraph-checkpoint-redis package's filter handling. The RedisSaver and ShallowRedisSaver classes construct RediSearch queries by directly interpolating user-provided filter keys and values without proper escaping. RediSearch has special syntax characters that can modify query behavior, and when user-controlled data contains these characters, the query logic can be manipulated to bypass intended access controls.

Attack surface

The core vulnerability was in the list() methods of both RedisSaver and ShallowRedisSaver: these methods failed to escape RediSearch special characters in filter keys and values when constructing queries. When unescaped data containing RediSearch syntax was used, the injected operators were interpreted by RediSearch rather than treated as literal search values.

This escaping bug enabled the following attack vector:

  • Thread boundary escape via OR operator: RediSearch uses | as an OR operator with specific precedence rules. A query like A B | C is interpreted as (A AND B) OR C. By injecting }) | (@thread_id:{* into a filter value, an attacker can append an OR clause that matches all threads, effectively bypassing the thread isolation constraint.

The injected query (@thread_id:{legitimate-thread}) (@source:{x}) | (@thread_id:{*}) matches:

  • Documents with thread_id:legitimate-thread AND source:x, OR
  • Documents with ANY thread_id

The second clause matches all threads, bypassing thread isolation entirely.

Who is affected?

Applications are vulnerable if they:

  • Pass user-controlled input to filter parameters, When using getStateHistory() or checkpointer.list() with filter values derived from user input, HTTP parameters, or other untrusted sources.
  • Use Redis checkpointing in multi-tenant applications, Applications that rely on thread isolation to separate data between users or tenants are at risk of cross-tenant data access.

The most common attack vector is through API endpoints that expose filtering capabilities to end users, allowing them to search or filter their conversation history.

Exploit example

import { RedisSaver } from "@langchain/langgraph-checkpoint-redis";

const saver = new RedisSaver({ /* redis config */ });

// Normal usage - should only see thread "user-123-thread"
const legitHistory = saver.list({
  configurable: { thread_id: "user-123-thread" }
}, {
  filter: { source: "loop" }
});

// Attacker crafts malicious filter value
const attackerFilter = {
  source: "x}) | (@thread_id:{*"  // Injects OR clause matching ALL threads
};

// This produces a query like:
// (@thread_id:{user-123-thread}) (@source:{x}) | (@thread_id:{*})
// Due to precedence, this matches ALL threads!

const stolenHistory = saver.list({
  configurable: { thread_id: "user-123-thread" }
}, {
  filter: attackerFilter
});

// stolenHistory now contains checkpoints from ALL threads - DATA LEAKED!

Security hardening changes

The 1.0.2 patch introduces the following changes:

  • Escape utility function: A new escapeRediSearchTagValue() function properly escapes all RediSearch special characters (- . < > { } [ ] " ' : ; ! @ # $ % ^ & * ( ) + = ~ | \ ? /) by prefixing them with backslashes.
  • Filter key escaping: All filter keys are escaped before being used in query construction.
  • Filter value escaping: All filter values are escaped before being interpolated into RediSearch tag queries.

Migration guide

No changes needed for most users

The fix is backward compatible. Existing code will work without modifications, filter values that previously worked will continue to work, with the added protection against injection:

import { RedisSaver } from "@langchain/langgraph-checkpoint-redis";

// Works exactly as before, now with injection protection
const history = saver.list(config, {
  filter: { source: "loop" }
});

If you were relying on special characters

If your application intentionally used RediSearch syntax in filter values (unlikely but possible), be aware that these characters will now be escaped and treated as literals.

For applications with user-facing filters

No code changes required, but this is a good time to review your API design:

// Before: Vulnerable to injection
app.get("/history", async (req, res) => {
  const history = await saver.list(config, {
    filter: req.query.filter  // User-controlled - was vulnerable
  });
});

// After: Now safe, but consider validating allowed filter keys
app.get("/history", async (req, res) => {
  const allowedKeys = ["source", "step"];
  const sanitizedFilter = Object.fromEntries(
    Object.entries(req.query.filter || {})
      .filter(([key]) => allowedKeys.includes(key))
  );
  const history = await saver.list(config, {
    filter: sanitizedFilter
  });
});

Recommendation: Even with the fix in place, consider validating that filter keys are from an allowed list as a defense-in-depth measure.

References

Impact

Attackers who control filter input can bypass thread isolation by injecting RediSearch OR operators to construct queries that match all threads regardless of the intended thread constraint. This enables access to checkpoint data from threads the attacker is not authorized to view.

Key severity factors:

  • Enables complete bypass of thread-based access controls
  • Sensitive conversation data from other users may be exposed
  • Affects multi-tenant applications relying on thread isolation for data separation
  • Requires only control over filter input values (common in user-facing APIs)

CVE-2026-27022 has a CVSS score of 6.5 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.0.2); upgrading removes the vulnerable code path.

Affected versions

@langchain/langgraph-checkpoint-redis (< 1.0.2)

Security releases

@langchain/langgraph-checkpoint-redis → 1.0.2 (npm)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade @langchain/langgraph-checkpoint-redis to 1.0.2 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-27022? CVE-2026-27022 is a medium-severity security vulnerability in @langchain/langgraph-checkpoint-redis (npm), affecting versions < 1.0.2. It is fixed in 1.0.2.
  2. How severe is CVE-2026-27022? CVE-2026-27022 has a CVSS score of 6.5 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of @langchain/langgraph-checkpoint-redis are affected by CVE-2026-27022? @langchain/langgraph-checkpoint-redis (npm) versions < 1.0.2 is affected.
  4. Is there a fix for CVE-2026-27022? Yes. CVE-2026-27022 is fixed in 1.0.2. Upgrade to this version or later.
  5. Is CVE-2026-27022 exploitable, and should I be worried? Whether CVE-2026-27022 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-27022 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-27022? Upgrade @langchain/langgraph-checkpoint-redis to 1.0.2 or later.

Other vulnerabilities in @langchain/langgraph-checkpoint-redis

Stop the waste.
Protect your environment with Kodem.