Query Injection Vulnerability in Redis Checkpoint Implementation for LangGraph by LangChain
CVE-2026-27022

6.5MEDIUM

Key Information:

Vendor

Langchain-ai

Status
Langgraphjs
Vendor
CVE Published:
20 February 2026

What is CVE-2026-27022?

A query injection vulnerability is present in the @langchain/langgraph-checkpoint-redis package, which serves as the Redis checkpoint and store implementation for LangGraph. The vulnerability is due to inadequate handling of user-supplied filter keys and values during RediSearch query construction in the RedisSaver and ShallowRedisSaver classes. By directly interpolating unescaped user data, the query logic can be manipulated, allowing attackers to potentially bypass access controls. Users are advised to upgrade to version 1.0.2 or later to mitigate this risk.

Affected Version(s)

langgraphjs < 1.0.2

References

https://github.com/langchain-ai/langgraphjs/security/advi...
x_refsource_CONFIRM
https://github.com/langchain-ai/langgraphjs/pull/1943
x_refsource_MISC
https://github.com/langchain-ai/langgraphjs/commit/814c76...
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.