Summary
LangGraph checkpointers can load msgpack-encoded checkpoints that reconstruct Python objects during deserialization. If an attacker can modify checkpoint data in the backing store (for example, after a database compromise or other privileged write access to the persistence layer), they can potentially supply a crafted payload that triggers unsafe object reconstruction when the checkpoint is loaded.
This is a post-exploitation / defense-in-depth issue. Exploitation requires the ability to write attacker-controlled checkpoint bytes at rest. In most deployments that prerequisite already implies a serious incident; the additional risk is turning “checkpoint-store write access” into code execution in the application runtime, which can expand blast radius (for example by exposing environment variables or cloud credentials available to the runtime).
There is no evidence of exploitation in the wild, and LangGraph is not aware of a practical exploitation path in existing deployments today. This change is intended to reduce the blast radius of a checkpoint-store compromise.
Affected users / systems
Users may be affected if they:
- use a persistent checkpointer (database, remote store, shared filesystem, etc.),
- load/resume from checkpoints, and
- operate in an environment where an attacker could gain privileged write access to checkpoint data in the backing store.
This issue requires the attacker to be able to modify persisted checkpoint bytes (or to compromise a trusted component that writes them). It is generally not reachable by an unauthenticated remote attacker in a correctly configured deployment.
Exploitation scenario (high level)
- Attacker gains privileged write access to the checkpoint store (for example, via database compromise, leaked credentials, or abuse of an administrative data path).
- Attacker writes a crafted checkpoint payload containing msgpack data intended to reconstruct dangerous objects.
- Application resumes and deserializes the checkpoint; unsafe reconstruction could execute attacker-controlled behavior.
Mitigation / remediation
LangGraph provides an allowlist-based hardening mechanism for msgpack checkpoint deserialization.
Strict mode (environment variable)
LANGGRAPH_STRICT_MSGPACK- When set truthy (
1,true,yes), the default msgpack deserialization policy becomes strict. - Concretely:
JsonPlusSerializer()will defaultallowed_msgpack_modulestoNone(strict) instead ofTrue(warn-and-allow), unlessallowed_msgpack_modules=...is explicitly passed.
- When set truthy (
allowed_msgpack_modules (serializer/checkpointer config)
This setting controls what msgpack “ext” types are allowed to be reconstructed.
True(default when strict mode is not enabled): allow all ext types, but log a warning when deserializing a type that is not explicitly registered.None(strict): only a built-in safe set is reconstructed; other ext types are blocked.[(module, class_name), ...](strict allowlist): the built-in safe set plus exactly the listed symbols are reconstructed (exact-match).
Built-in safe set
A small set of types is always treated as safe to reconstruct (for example datetime types, uuid.UUID, decimal.Decimal, set/frozenset/deque, ipaddress types, pathlib paths, zoneinfo.ZoneInfo, compiled regex patterns, and selected LangGraph internal types).
Automatically derived allowlist (only when compiling graphs)
When LANGGRAPH_STRICT_MSGPACK is enabled and StateGraph is compiled, LangGraph derives an allowlist from the graph’s schemas and channels and applies it to the checkpointer.
- The allowlist is built by walking the state/input/output/context schemas (plus node/branch input schemas) and channel value/update types. It includes Pydantic v1/v2 models, dataclasses, enums, TypedDict field types, and common typing constructs (containers, unions,
Annotated). - LangGraph also includes a curated set of common LangChain message classes.
This derived allowlist is only applied if the selected checkpointer supports with_allowlist(...). If a user is constructing serializers/checkpointers manually (or using a checkpointer that does not support allowlist propagation), they will need to configure allowed_msgpack_modules themselves.
Operational guidance
- Treat checkpoint stores as integrity-sensitive. Restrict write access and rotate credentials if compromise is suspected.
- Enable strict mode (
LANGGRAPH_STRICT_MSGPACK=true) in production if feasible, and rely on schema-driven allowlisting to reduce incompatibilities. - Avoid providing custom msgpack deserialization hooks that reconstruct arbitrary types unless checkpoint data is fully trusted.
Limitations / important notes
- If a checkpointer implementation does not support allowlist application (i.e., does not implement
with_allowlist), allowlist enforcement may be skipped (with a warning). In that situation, strict expectations may not hold. - If an application supplies a custom msgpack unpack hook (
ext_hook), the custom hook controls reconstruction and can bypass the default allowlist checks (intentional escape hatch, but it weakens the protection).
LangSmith / hosted deployments note
LangSmith is not aware of this issue presenting risk to existing LangSmith-hosted deployments. The described threat model requires an attacker to tamper with the checkpoint persistence layer used by the deployment; typical hosted configurations are designed to prevent such access.
First reported by: yardenporat353
Impact
- Potential arbitrary code execution or other unsafe side effects during checkpoint deserialization.
- Escalation from “write access to checkpoint store” to “code execution in the application runtime,” which may expose runtime secrets or provide access to other systems the runtime can reach.
Untrusted serialized data is processed by a deserializer that can instantiate arbitrary objects or execute code as a side effect. Typical impact: arbitrary code execution or logic abuse.
CVE-2026-28277 has a CVSS score of 6.8 (Medium). The vector is reachable from an adjacent network, high privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.0.10); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-28277? CVE-2026-28277 is a medium-severity insecure deserialization vulnerability in langgraph (pip), affecting versions <= 1.0.9. It is fixed in 1.0.10. Untrusted serialized data is processed by a deserializer that can instantiate arbitrary objects or execute code as a side effect.
- How severe is CVE-2026-28277? CVE-2026-28277 has a CVSS score of 6.8 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of langgraph are affected by CVE-2026-28277? langgraph (pip) versions <= 1.0.9 is affected.
- Is there a fix for CVE-2026-28277? Yes. CVE-2026-28277 is fixed in 1.0.10. Upgrade to this version or later.
- Is CVE-2026-28277 exploitable, and should I be worried? Whether CVE-2026-28277 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-28277 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-28277? Upgrade
langgraphto 1.0.10 or later.