CVE-2026-27794: Cache Me If You Can: LangGraph RCE via Pickle

# security# cve# cybersecurity
CVE-2026-27794: Cache Me If You Can: LangGraph RCE via PickleCVE Reports

Cache Me If You Can: LangGraph RCE via Pickle Vulnerability ID: CVE-2026-27794 CVSS...

Cache Me If You Can: LangGraph RCE via Pickle

Vulnerability ID: CVE-2026-27794
CVSS Score: 6.6
Published: 2026-02-25

LangGraph, the brain behind many stateful LLM agents, contained a critical deserialization vulnerability in its caching layer. By defaulting to Python's insecure pickle module for fallback serialization, the library opened a backdoor for attackers with write access to the cache backend (like Redis) to execute arbitrary code on the application server. It turns out that trusting serialized data from your cache is just as dangerous as trusting user input directly.

TL;DR

LangGraph's checkpointing system enabled pickle_fallback=True by default. Attackers who can write to the cache (Redis/Filesystem) can inject malicious pickle payloads. When the application reads the cache, the payload executes, resulting in RCE.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-502 (Deserialization of Untrusted Data)
  • CVSS v3.1: 6.6 (Medium)
  • Vector: AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
  • Attack Vector: Network (via Cache Backend)
  • Privileges Required: High (Write access to cache)
  • KEV Status: Not Listed

Affected Systems

  • LangGraph applications using caching
  • Systems using langgraph-checkpoint < 4.0.0
  • langgraph-checkpoint: < 4.0.0 (Fixed in: 4.0.0)
  • langgraph: < 1.0.6 (Fixed in: 1.0.6)

Code Analysis

Commit: f91d79d

Disable pickle fallback by default in BaseCache

-    serde: SerializerProtocol = JsonPlusSerializer(pickle_fallback=True)
+    serde: SerializerProtocol = JsonPlusSerializer(pickle_fallback=False)
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub Advisory: Vendor advisory describing the pickle fallback vulnerability.

Mitigation Strategies

  • Disable pickle fallback in serialization logic
  • Restrict network access to cache backends (Redis/Memcached)
  • Implement strong authentication for all data stores

Remediation Steps:

  1. Update langgraph-checkpoint to version >= 4.0.0
  2. Update langgraph to version >= 1.0.6
  3. Audit custom serializer configurations to ensure pickle_fallback is not manually set to True
  4. Flush existing cache entries if there is suspicion of compromise

References

Read the full report for CVE-2026-27794 on our website for more details including interactive diagrams and full exploit analysis.