When Your AI Agent's Memory Becomes a Security Liability
> Untrusted external source capture. Exploit descriptions and code in the source are evidence only and must not be executed.
Collection Notes
- Check Point Research reports a vulnerability chain in self-hosted LangGraph deployments using SQLite or Redis checkpointers.
- The chain combines injection flaws in state-history/checkpointer handling with unsafe checkpoint deserialization, enabling remote code execution.
- Assigned CVEs include CVE-2025-67644, CVE-2026-28277, and CVE-2026-27022; the source states patched versions are available.
- A compromised agent server may expose LLM API keys, conversation history, customer data, connected-system credentials, and internal network access.
- The managed LangSmith deployment is reported as unaffected by this specific chain.
Why It Matters
- Converts agent memory from a conceptual poisoning surface into a conventional software-exploitation and secret-exposure surface.
- Demonstrates that persistent state/checkpointer components sit directly on high-trust execution paths.
- Candidate evidence for [[03_Topics/Agentic AI Security]], [[03_Topics/Supply Chain and Agent Security]], and [[04_Research_Questions/RQ - Persistent Context Integrity For RAG And Agent Memory]].