CVE-2026-27794 is a medium-severity insecure deserialization vulnerability in langgraph-checkpoint (pip), affecting versions < 4.0.0. It is fixed in 4.0.0.
Context A Remote Code Execution vulnerability exists in LangGraph's caching layer when applications enable cache backends that inherit from BaseCache and opt nodes into caching via CachePolicy. Prior to langgraph-checkpoint 4.0.0, BaseCache defaults to JsonPlusSerializer(picklefallback=True). When msgpack serialization fails, cached values can be deserialized via pickle.loads(...). Who is affected? Caching is not enabled by default. Applications are affected only when: The application explicitly enables a cache backend (for example by passing cache=... to StateGraph.compile(...) or otherwise configuring a BaseCache implementation) One or more nodes opt into caching via CachePolicy The attacker can write to the cache backend (for example a network-accessible Redis instance with weak/no auth, shared cache infrastructure reachable by other tenants/services, or a writable SQLite cache file) Example (enabling a cache backend and opting a node into caching): With picklefallback=True, when msgpack serialization fails, JsonPlusSerializer can fall back to storing values as a ("pickle", <bytes>) tuple and later deserialize them via pickle.loads(...). If an attacker can place a malicious pickle payload into the cache backend such that the LangGraph process reads and deserializes it, this can lead to arbitrary code execution. Exploitation requires attacker write access to the cache backend. The serializer is not exposed as a network-facing API. This is fixed in langgraph-checkpoint>=4.0.0 by disabling pickle fallback by default (picklefallback=False). Impact Arbitrary code execution in the LangGraph process when attacker-controlled cache entries are deserialized. Root Cause BaseCache default serializer configuration inherited by cache implementations (InMemoryCache, RedisCache, SqliteCache): libs/checkpoint/langgraph/cache/base/init.py (pre-fix default: JsonPlusSerializer(picklefallback=True)) JsonPlusSerializer deserialization sink: libs/checkpoint/langgraph/checkpoint/serde/jsonplus.py loadstyped(...) calls pickle.loads(data) when type_ == "pickle" and pickle fallback is enabled Attack preconditions An attacker must be able to write attacker-controlled bytes into the cache backend such that the LangGraph process later reads and deserializes them. This typically requires write access to a networked cache (for example a network-accessible Redis instance with weak/no auth or shared cache infrastructure reachable by other tenants/services) or write access to local cache storage (for example a writable SQLite cache file via permissive file permissions or a shared writable volume). Because exploitation requires write access to the cache storage layer, this is a post-compromise / post-access escalation vector. Remediation Upgrade to langgraph-checkpoint>=4.0.0. Resources ZDI-CAN-28385 Patch: https://github.com/langchain-ai/langgraph/pull/6677 Patch diff: https://patch-diff.githubusercontent.com/raw/langchain-ai/langgraph/pull/6677.patch Credit: Peter Girnus (@gothburz), Demeng Chen, and Brandon Niemczyk (Trend Micro Zero Day Initiative)
Untrusted serialized data is processed by a deserializer that can instantiate arbitrary objects or execute code as a side effect. Typical impact: arbitrary code execution or logic abuse.
CVE-2026-27794 has a CVSS score of 6.6 (Medium). The vector is network-reachable, high privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (4.0.0). Upgrading removes the vulnerable code path.
pip
langgraph-checkpoint (< 4.0.0)langgraph-checkpoint → 4.0.0 (pip)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's Application Detection and Response identifies whether CVE-2026-27794 is reachable in your applications. Explore runtime application protection for your team.
See if CVE-2026-27794 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-27794 in your environment →Upgrade langgraph-checkpoint to 4.0.0 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-27794 is a medium-severity insecure deserialization vulnerability in langgraph-checkpoint (pip), affecting versions < 4.0.0. It is fixed in 4.0.0. Untrusted serialized data is processed by a deserializer that can instantiate arbitrary objects or execute code as a side effect.
CVE-2026-27794 has a CVSS score of 6.6 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
langgraph-checkpoint (pip) versions < 4.0.0 is affected.
Yes. CVE-2026-27794 is fixed in 4.0.0. Upgrade to this version or later.
Whether CVE-2026-27794 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade langgraph-checkpoint to 4.0.0 or later.