LangGraph Security Updates: Patch Self-Hosted AI Agents

June 12, 2026 update: self-hosted LangGraph deployments should patch three newly documented security issues affecting checkpoint and state storage components: CVE-2025-67644, CVE-2026-28277, and CVE-2026-27022. The fixed minimums are langgraph-checkpoint-sqlite 3.0.1, langgraph 1.0.10, and @langchain/langgraph-checkpoint-redis 1.0.1. Current package metadata during this pass shows newer releases are already available.

Plain-English impact: LangGraph is used to run stateful AI agents and multi-step workflows. In self-hosted systems, those agents may hold application memory, tool access, model-provider secrets, cloud credentials, database access, and internal business context. A weakness in the checkpoint layer can become more serious when the agent runtime has broad access to other systems.

This is a protect-only guide. It avoids lab mechanics and unsafe validation details while giving developers, SaaS teams, MSPs, and hosting admins a safe update and review path.

Who should act

• Self-hosted LangGraph servers that use SQLite or Redis checkpointers.
• AI agent applications that expose state history, checkpoint-backed workflows, or agent memory to users, customers, workers, or internal tools.
• Containerized deployments where Python and Node.js dependencies are pinned in lockfiles and may not update automatically.
• Managed AI and SaaS teams running agents with access to tickets, documents, customer records, cloud services, internal APIs, or automation tools.

LangChain says its managed LangSmith-hosted deployment path is not affected by the documented self-hosted threat model. Teams using a managed platform should still review their own custom workers, sidecars, local scripts, and self-hosted staging copies.

What to update

• CVE-2025-67644: update langgraph-checkpoint-sqlite to 3.0.1 or newer.
• CVE-2026-28277: update langgraph to 1.0.10 or newer.
• CVE-2026-27022: update @langchain/langgraph-checkpoint-redis to 1.0.1 or newer.

During this pass, PyPI listed langgraph 1.2.5 and langgraph-checkpoint-sqlite 3.1.0 as current, and npm listed @langchain/langgraph-checkpoint-redis 1.0.8 as current. Use your normal dependency review process before jumping versions in production, especially if agent state schemas or checkpointer behavior are tightly coupled to your app.

Safe maintenance checklist

1. Inventory LangGraph use. Check repositories, containers, background workers, notebooks, staging apps, and customer-specific AI automation jobs.
2. Find checkpoint backends. Identify whether SQLite, Redis, a database, a remote store, or a shared filesystem is used for agent memory and workflow state.
3. Back up first. Save dependency lockfiles, environment settings, containers, database snapshots, Redis persistence where used, and any business-critical workflow state.
4. Update packages. Move each affected LangGraph package to at least the fixed version, then rebuild containers or virtual environments instead of patching only a running process.
5. Restrict access. Keep self-hosted AI agent services behind authentication, trusted networks, VPN, private service links, or an internal gateway. Do not leave development agent servers open to the public internet.
6. Reduce agent privilege. Remove unused tools, shorten secret lifetime, split high-risk tools into separate service accounts, and limit what the agent runtime can reach.
7. Review checkpoint stores. If checkpoint storage may have been modified by an untrusted party, rotate credentials and treat the agent runtime as potentially exposed.
8. Verify workflows. Test normal conversations, resumed workflows, tool calls, background jobs, logging, alerts, and rollback plans after the update.

Hosting and SaaS notes

For hosting providers, agencies, and SaaS operators, the key risk is not only the package version. It is where the AI agent can reach. A small demo agent with no secrets has a different risk profile from an operations agent that can read tickets, change cloud resources, send email, run deployment jobs, or query client application records.

Patch during a normal maintenance window when possible, but do not wait on exposed self-hosted deployments. Drain background jobs, snapshot state stores, update dependencies, restart workers, confirm health checks, and keep logs long enough to review unusual state access or unexpected workflow changes.

If compromise is possible

If an attacker may have modified checkpoint data, accessed the backing store, or used the agent runtime, treat it as a secrets and automation incident. Rotate model-provider keys, cloud keys, database credentials, webhook secrets, OAuth tokens, and service-account credentials reachable by the agent. Review downstream systems the agent can touch, not only the LangGraph server.

Related Fix I.T. Phill reading

• Langflow CVE-2026-5027 AI app server patch guide
• LiteLLM CVE-2026-42271 AI gateway patch guide
• Splunk CVE-2026-20253 enterprise patch guide
• phpBB authentication bypass update guide

Sources

• LangGraph GitHub advisory for CVE-2025-67644
• LangGraph GitHub advisory for CVE-2026-28277
• LangGraph.js GitHub advisory for CVE-2026-27022
• Check Point Research LangGraph checkpointer analysis
• The Hacker News report on LangGraph self-hosted exposure
• PyPI package page for LangGraph
• PyPI package page for langgraph-checkpoint-sqlite
• npm package page for @langchain/langgraph-checkpoint-redis

Need help patching self-hosted AI app infrastructure without breaking workflows? Fix I.T. Phill can help inventory deployments, plan a safe update window, restrict exposed services, rotate secrets, and verify agent workflows after maintenance.