惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
Troy Hunt's Blog
F
Fortinet All Blogs
D
DataBreaches.Net
Google DeepMind News
Google DeepMind News
Y
Y Combinator Blog
The Register - Security
The Register - Security
T
Tailwind CSS Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
月光博客
月光博客
V
Vulnerabilities – Threatpost
S
Securelist
S
SegmentFault 最新的问题
T
Threat Research - Cisco Blogs
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
P
Privacy International News Feed
S
Schneier on Security
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
L
LangChain Blog
GbyAI
GbyAI
Apple Machine Learning Research
Apple Machine Learning Research
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
美团技术团队
Cyberwarzone
Cyberwarzone
C
Cisco Blogs
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Google Online Security Blog
Google Online Security Blog
M
MIT News - Artificial intelligence
U
Unit 42
V
V2EX
C
CERT Recently Published Vulnerability Notes
云风的 BLOG
云风的 BLOG
B
Blog
博客园 - 叶小钗
Attack and Defense Labs
Attack and Defense Labs
Security Archives - TechRepublic
Security Archives - TechRepublic
aimingoo的专栏
aimingoo的专栏
Hacker News: Ask HN
Hacker News: Ask HN
博客园 - Franky
Engineering at Meta
Engineering at Meta
Schneier on Security
Schneier on Security
C
CXSECURITY Database RSS Feed - CXSecurity.com
酷 壳 – CoolShell
酷 壳 – CoolShell
T
The Blog of Author Tim Ferriss
IT之家
IT之家
W
WeLiveSecurity
Cisco Talos Blog
Cisco Talos Blog
K
Kaspersky official blog
Martin Fowler
Martin Fowler
SecWiki News
SecWiki News

Check Point Blog

The State of Hybrid SASE: Built-In vs. Bolted-On - Check Point Blog AI Appreciation Day: Let's Be Honest About What We're Appreciating - Check Point Blog AI Security Is Never Finished: Building the Continuous Red Teaming Loop  - Check Point Blog AI Security Threats in 2026: Annual Insights from Check Point Research - Check Point Blog AI Agents are Only As Effective as Their Harness - Check Point Blog Email Agent Hijacking: The Hidden Threat That Breaks Post-Delivery Security - Check Point Blog How Check Point Email Security Stopped a Student Job Scam Before It Reached the Inbox - Check Point Blog Redefining the CISO Contract: From Securing the Business to Securely Doing Business - Check Point Blog A New Ransomware Leader Emerges as June 2026 Attack Volumes Climb Worldwide How Unified Policies Close Security Gaps - Check Point Blog Under Pressure: Insights from the 2026 Exposure Gap Report - Check Point Blog When AI Invents the Attack: Browser-Native Ransomware - Check Point Blog Check Point and the AWS European Sovereign Cloud: Securing Europe’s Digital Future - Check Point Blog Shadow AI Is Not a Tool Problem. It's a Timing Problem. - Check Point Blog AI Is Changing Cyber Careers. NICE 2026 Showed What Students Need Next - Check Point Blog 90% of the World's Businesses are SMEs and MSMEs and AI Is Reshaping Both Their Future and Their Risk - Check Point Blog Prevention Before the Inbox: Reading the Microsoft Defender Benchmark Report in Context - Check Point Blog ClickFix: The Attack That Turns Users Into Their Own Attackers - Check Point Blog From Prompt Testing to AI Red Teaming at Enterprise Scale - Check Point Blog AI Has Moved From Assistance to Action. Is Your Security Model Ready? AI Security Governance: How to Secure AI Agents, Copilots, and Autonomous AI in 2026 - Check Point Blog OpenAI Frontier AI Models Powering Check Point's Leading Cyber Security Solutions The Operational Reality of Zero Trust- And How You Can Change It - Check Point Blog Amazon Prime Day 2026: Bargains Begin June 23 — and So Do the Scams - Check Point Blog Securing AI Agent Behavior with Amazon Bedrock AgentCore and CheckPoint AI Security - Check Point Blog What Successful Exposure Management Deployments Had in Common in 2026 - Check Point Blog From Stars to Upvotes: The Fake Reputation Economy Behind a Crypto Clipboard Hijackers - Check Point Blog AI Red Teaming Makes the Unknowns Known - Check Point Blog Check Point and Illumio Expand Partnership to Secure Hybrid Environments - Check Point Blog The NCSC Patch Wave Is Coming. Do You Know Where Your Risk Lives? - Check Point Blog NCSC Warns of AI-Driven Patch Wave: Is Your Attack Surface Ready? Energy, Healthcare, and Finance: Why Midwest Industries Are Facing Surging Cyber Attacks - Check Point Blog Midwest Cyber Attacks Surge in 2026: Energy, Healthcare, and Finance Under Growing Threat Travel Phishing and Cyber Attacks are Surging in 2026, Growing 122% over the last 3 years. Here's What Cyber Criminals Are Actually Doing - Check Point Blog Travel Phishing Scams Surge 122%: How Cybercriminals Are Targeting Travelers in 2026 The AI Your Security Team Can’t See Is the One You Should Worry About Check Point Engage Public Sector 2026: AI Is the New Battlefield Check Point Joins OpenAI’s Trusted Access for Cyber Program and Daybreak Initiative AI Agents Are Becoming Enterprise Workers. Who Secures Them? Global Cyber Attacks Ease in May 2026, But Ransomware Surges 48% As Threats Reorganize Security Advisory – Action Required – Active Exploitation of Check Point VPN Authentication Bypass (CVE-2026-50751) Fraud, Ransomware, and Fake Apps Are Already Targeting FIFA 2026 The AI Defense Plane: Securing the New Enterprise Execution Layer The Meta AI Account Recovery Incident Wasn’t Just a Chatbot Problem Check Point Lays the Groundwork for the Future of AI Factory Security with NVIDIA - Check Point Blog Check ... The 2026 U.S. Midterms Have a Cyber Problem, But it’s Not at the Ballot Box The Server Seizure That Affects Also Iran’s Cyber Operations The Autonomous Security Platform Built for Attacker Speed Check Point Frontier AI Models Readiness Program – Security Update 2026 Cloud Security Report: Why Traditional Network, Cloud, and Security Architecture Are Lagging Behind t ... AI Attacks Are No Longer Experimental: Key Findings from the March-April 2026 AI Threat Landscape - Check ... Protect GenAI Chatbots with Check Point WAF The Network Security Problem No One Could Solve – Until Now. Hacktivists, Ransomware, and a 124% Surge Across DACH The Case for a Vulnerability Operations Center Before the First Whistle: How Cyber Criminals Are Targeting World Cup 2026 - Check Point Blog World Cup 20 ... When the Ransomware Gang Gets Hacked: What the Gentlemen Leak Reveals About Modern Ransomware Risk - Check ... Cyber Threats Spike in April 2026 as Ransomware Expands and Attack Volumes Climb After Short-Lived Moderation Q1 2026 Ransomware Report: Fewer Groups, Higher Impact - Check Point Blog World Password Day 2026: Why "Strong Passwords" Can’t Save You from AI, Infostealers, and the Telegram Underground - Check Point Blog Resilient by Design: When the Network Itself Becomes the Target AI Threat Readiness: Defending Against Attacks Powered by Frontier AI Models Check Point Cyber Security Now Available Across All Levels of U.S. Government - Check Point Blog Check Poi ... VECT Ransomware: Why Paying Won’t Get Your Files Back Check Point WAF Leads Application Security-Validated by Frost & Sullivan Check Point WAF Leads Application ... From Access Control to Outcome Control: Securing AI Agents with Check Point and Google Cloud Experience AI-Powered Check Point Firewall at Google Cloud Next AI Finds Every Gap: How Many Can Your Network Survive? The Gentlemen RaaS Is Surging in 2026 The Phishing Paradox: The World’s Most Trusted Brands Are Cyber Criminals’ Entry Point of Choice World Quantum Day 2026: The Harvest Has Already Begun, Are You Prepared? Why Manufacturing Cyber Security is Becoming More Complex as Cyber Attacks Accelerate March 2026 Cyber Threat Report: Ransomware & GenAI Risk PS Private Training: Turning Cyber Complexity into Operational Control Tax Season 2026: How Cyber Criminals Are Preparing Their Attacks Months in Advance Claude Mythos Wake-Up Call: What AI Vulnerability Discovery Means for Cyber Defense Iran-nexus Password Spray Campaign Targeting Cloud Environments, with a Focus on the Middle East ROI of Hybrid Mesh Network Security (IDC Study 2026) Operation TrueChaos: TrueConf Zero‑Day Supply‑Chain Attack ChatGPT Data Leak (Fixed Feb 2026): Key Takeaways Spring Cleaning Has Arrived: Meet the New Check Point Portal Experience North America’s Cyber Security Threat Reality in 2026
When Your AI Agent’s Memory Becomes a Security Liability
lizwu@checkpoint.com · 2026-06-11 · via Check Point Blog
Key Findings:  
  • Check Point Research identified a critical vulnerability chain in LangGraph, an open-source framework from the creators of LangChain that enables developers to build complex, stateful, and controllable AI agent workflows using LLMs; they have approximately 46.5 million monthly downloads, making it one of the most widely adopted AI agent platforms in the world
  • An SQL injection in LangGraph’s function could allow attackers to gain full control via remote code execution of a server by exploiting weaknesses in how the system processes and handles data. A compromised LangGraph server exposes everything the agent touches, including LLM API keys, customer data, CRM credentials, conversation history, and internal network access
  • Three CVEs were assigned: CVE-2025-67644 (SQLite injection), CVE-2026-28277 (msgpack deserialization RCE), and CVE-2026-27022 (Redis injection). All have been patched in upgraded versions
  • The vulnerability chain is exploitable in self-hosted deployments using the SQLite or Redis checkpointer with user-controlled filter input. LangChain’s managed platform (LangSmith Deployment), is not affected
  • This research demonstrates a broader pattern: classic vulnerability classes like SQL injection become significantly more dangerous when they appear inside AI agent frameworks that carry elevated access and trust

Check Point Research discovered how a single overlooked API in LangGraph, one of the world’s most widely used AI agent frameworks, can hand an attacker complete control of your AI infrastructure. 

LangGraph is not a niche tool. With close to 46.5 million downloads last month alone, it powers AI agents across thousands of production environments, from customer support automation to internal enterprise workflows. That kind of adoption means any security issue in it is worth paying close attention to. 

When Check Point Research set out to understand how AI agent frameworks handle persistence and state, we did not expect to find a path to full remote code execution. But that is exactly what we uncovered inside LangGraph, hidden in the component responsible for saving and retrieving agent memory. 

How AI agents remember things 

Unlike a simple chatbot, a stateful AI agent needs to remember what it has done across multiple steps. LangGraph handles this through a component called a checkpointer, a persistence layer that saves the agent’s execution state at each step so it can be retrieved later. 

This is where our research focused. The checkpointer is deeply embedded in how LangGraph operates, and any vulnerability here sits directly in the execution path of the entire agent workflow. 

Our team discovered that LangGraph’s get_state_history() function, which retrieves historical agent checkpoints, contains an SQL injection vulnerability in its filter parameter. On its own, that is already serious. But chained with a second vulnerability in how LangGraph deserializes checkpoint data, it becomes a path to full remote code execution.

Figure 1: SQLite checkpointer database schema used by LangGraph to store agent execution state, including thread identifiers, checkpoint data, and metadata blobs.

The chain that makes it dangerous 

Individual bugs are common. What makes this research significant is how two vulnerabilities combine into something far more serious than either one alone. The SQL injection allows an attacker to manipulate which checkpoint data gets returned from the database. The deserialization vulnerability means that when LangGraph processes that returned data, an attacker-controlled payload gets executed as code on the server. Neither flaw alone tells the full story. Together, they create a clear path from a single API call to complete server compromise.

Three CVEs were assigned across the SQLite checkpointer, the Redis checkpointer, and the core deserialization mechanism. We worked directly with the LangChain team through the full disclosure process, helping design and validate the fixes. 

What an attacker actually gets 

Full code execution on a LangGraph server is not a contained incident. These servers hold the keys to everything the agent touches. 

  • LLM API keys and secrets — every key the agent uses, directly billable and abusable by the attacker 
  • Full conversation history — every past interaction, prompt, and response the agent has ever processed 
  • Connected data — CRM records, helpdesk tickets, billing details, and customer PII the agent has touched 
  • Network foothold — a pivot point into broader internal systems, inheriting whatever access the agent had 

This is categorically different from a prompt injection attack that affects a single agent session. A compromised server means an attacker can read every conversation that agent has ever processed and hijack its behavior entirely going forward. This could effectively manipulate the AI into performing unauthorized actions, spreading of misinformation, or impersonating trusted systems. In effect, the AI shifts from being a trusted assistant to a potentially compromised tool that can create serious operational, security, and trust risks for the organization.

Figure 2: End-to-end attack chain from SQL injection in get_state_history() to remote code execution via msgpack deserialization.

Who is affected 

LangGraph is a framework, not a hosted product. That means every team using it is effectively self-hosting it inside their own application. The vulnerability chain is exploitable when an application exposes get_state_history() with a user-controllable filter parameter, and uses either the SQLite or Redis checkpointer backend. LangChain’s own managed platform uses PostgreSQL and is not affected by this specific chain. 

All three vulnerabilities have been fixed. Teams running the SQLite checkpointer should update to langgraph-checkpoint-sqlite 3.0.1 or later to address CVE-2025-67644. The msgpack deserialization issue, CVE-2026-28277, is resolved in langgraph 1.0.10 or later. And for those using the Redis checkpointer, CVE-2026-27022 is patched in langgraph-checkpoint-redis 1.0.2 or later. If you are running any version below these, updating the patch should be the immediate priority to prevent any impact. 

Securing agentic AI: what defenders should do 

These vulnerabilities are now patched, and all users should upgrade immediately. But the more durable takeaway from this research is what it reveals about how teams should be approaching AI agent security more broadly. 

  • Patch immediately: If you are running an affected version of LangGraph, updating is the single most important step. The patched versions are listed above
  • Put authentication in front of your LangGraph server: LangGraph self-hosted ships without built-in authentication, which means the top priority for developers is placing a reverse proxy or API gateway in front of it and avoiding direct exposure to untrusted networks. Treating it as an internal-only service materially shrinks the attack surface
  • Treat AI agents as privileged identities: Agents carry real access, interact with sensitive data, and hold credentials to SaaS applications, internal APIs, databases, and LLM providers. A compromised agent runtime should be treated with the same severity as a compromised privileged account
  • Minimize what agents can access: Apply least privilege to every credential an agent holds. The smaller the access footprint, the more contained any compromise will be. Check Point’s AI Agent Security capabilities are built around exactly this model, providing visibility and control over agent behavior, runtime trust, and lateral movement risk in agentic environments
  • Test your agentic systems the way attackers would: One of the harder lessons from this research is that the severity here came from chaining, not from any single flaw in isolation. Individual bugs get caught. Chains get missed. AI red teaming, which treats your agentic stack as an adversary would, is where that kind of emergent risk gets surfaced before it becomes a real incident. Check Point’s AI Red Teaming work is grounded in this approach, using the same adversarial reasoning that uncovered this vulnerability chain
  • Avoid long-lived static secrets: Where possible, adopt credential brokering patterns that reduce direct API key exposure and prevent secrets from leaking into prompts, logs, or agent state
  • Enforce strong network controls: Agent runtimes should sit behind proper authentication and network segmentation, not exposed as open endpoints

Read the research blog

Interested in how Check Point can help secure your agentic AI deployments? Contact us here.