Vulnerability-Lookup

CVE-2026-27022 (GCVE-0-2026-27022)

Vulnerability from cvelistv5 – Published: 2026-02-20 21:06 – Updated: 2026-02-24 18:33

Title

RediSearch Query Injection in @langchain/langgraph-checkpoint-redis

Summary

@langchain/langgraph-checkpoint-redis is the Redis checkpoint and store implementation for LangGraph. A query injection vulnerability exists in the @langchain/langgraph-checkpoint-redis package's filter handling. The RedisSaver and ShallowRedisSaver classes construct RediSearch queries by directly interpolating user-provided filter keys and values without proper escaping. RediSearch has special syntax characters that can modify query behavior, and when user-controlled data contains these characters, the query logic can be manipulated to bypass intended access controls. This vulnerability is fixed in 1.0.2.

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/langchain-ai/langgraphjs/secur…	x_refsource_CONFIRM
	https://github.com/langchain-ai/langgraphjs/pull/1943	x_refsource_MISC
	https://github.com/langchain-ai/langgraphjs/commi…	x_refsource_MISC
	https://github.com/langchain-ai/langgraphjs/relea…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	langchain-ai	langgraphjs	Affected: < 1.0.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-27022",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-24T18:33:08.517946Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-24T18:33:25.127Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "langgraphjs",
          "vendor": "langchain-ai",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.0.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "@langchain/langgraph-checkpoint-redis is the Redis checkpoint and store implementation for LangGraph. A query injection vulnerability exists in the @langchain/langgraph-checkpoint-redis package\u0027s filter handling. The RedisSaver and ShallowRedisSaver classes construct RediSearch queries by directly interpolating user-provided filter keys and values without proper escaping. RediSearch has special syntax characters that can modify query behavior, and when user-controlled data contains these characters, the query logic can be manipulated to bypass intended access controls. This vulnerability is fixed in 1.0.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-74",
              "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-20T21:06:53.773Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/langchain-ai/langgraphjs/security/advisories/GHSA-5mx2-w598-339m",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/langchain-ai/langgraphjs/security/advisories/GHSA-5mx2-w598-339m"
        },
        {
          "name": "https://github.com/langchain-ai/langgraphjs/pull/1943",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/langchain-ai/langgraphjs/pull/1943"
        },
        {
          "name": "https://github.com/langchain-ai/langgraphjs/commit/814c76dc3938d0f6f7e17ca3bc11d6a12270b2a1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/langchain-ai/langgraphjs/commit/814c76dc3938d0f6f7e17ca3bc11d6a12270b2a1"
        },
        {
          "name": "https://github.com/langchain-ai/langgraphjs/releases/tag/@langchain/langgraph-checkpoint-redis@1.0.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/langchain-ai/langgraphjs/releases/tag/@langchain/langgraph-checkpoint-redis@1.0.2"
        }
      ],
      "source": {
        "advisory": "GHSA-5mx2-w598-339m",
        "discovery": "UNKNOWN"
      },
      "title": "RediSearch Query Injection in @langchain/langgraph-checkpoint-redis"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-27022",
    "datePublished": "2026-02-20T21:06:53.773Z",
    "dateReserved": "2026-02-17T03:08:23.490Z",
    "dateUpdated": "2026-02-24T18:33:25.127Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-27022\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-24T18:33:08.517946Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-24T18:33:16.867Z\"}}], \"cna\": {\"title\": \"RediSearch Query Injection in @langchain/langgraph-checkpoint-redis\", \"source\": {\"advisory\": \"GHSA-5mx2-w598-339m\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"langchain-ai\", \"product\": \"langgraphjs\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.0.2\"}]}], \"references\": [{\"url\": \"https://github.com/langchain-ai/langgraphjs/security/advisories/GHSA-5mx2-w598-339m\", \"name\": \"https://github.com/langchain-ai/langgraphjs/security/advisories/GHSA-5mx2-w598-339m\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/langchain-ai/langgraphjs/pull/1943\", \"name\": \"https://github.com/langchain-ai/langgraphjs/pull/1943\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/langchain-ai/langgraphjs/commit/814c76dc3938d0f6f7e17ca3bc11d6a12270b2a1\", \"name\": \"https://github.com/langchain-ai/langgraphjs/commit/814c76dc3938d0f6f7e17ca3bc11d6a12270b2a1\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/langchain-ai/langgraphjs/releases/tag/@langchain/langgraph-checkpoint-redis@1.0.2\", \"name\": \"https://github.com/langchain-ai/langgraphjs/releases/tag/@langchain/langgraph-checkpoint-redis@1.0.2\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"@langchain/langgraph-checkpoint-redis is the Redis checkpoint and store implementation for LangGraph. A query injection vulnerability exists in the @langchain/langgraph-checkpoint-redis package\u0027s filter handling. The RedisSaver and ShallowRedisSaver classes construct RediSearch queries by directly interpolating user-provided filter keys and values without proper escaping. RediSearch has special syntax characters that can modify query behavior, and when user-controlled data contains these characters, the query logic can be manipulated to bypass intended access controls. This vulnerability is fixed in 1.0.2.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-74\", \"description\": \"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-20T21:06:53.773Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-27022\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-24T18:33:25.127Z\", \"dateReserved\": \"2026-02-17T03:08:23.490Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-20T21:06:53.773Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-5MX2-W598-339M

Vulnerability from github – Published: 2026-02-18 22:40 – Updated: 2026-02-23 22:20

Summary

RediSearch Query Injection in @langchain/langgraph-checkpoint-redis

Details

Summary

A query injection vulnerability exists in the @langchain/langgraph-checkpoint-redis package's filter handling. The RedisSaver and ShallowRedisSaver classes construct RediSearch queries by directly interpolating user-provided filter keys and values without proper escaping. RediSearch has special syntax characters that can modify query behavior, and when user-controlled data contains these characters, the query logic can be manipulated to bypass intended access controls.

Attack surface

The core vulnerability was in the list() methods of both RedisSaver and ShallowRedisSaver: these methods failed to escape RediSearch special characters in filter keys and values when constructing queries. When unescaped data containing RediSearch syntax was used, the injected operators were interpreted by RediSearch rather than treated as literal search values.

This escaping bug enabled the following attack vector:

Thread boundary escape via OR operator: RediSearch uses | as an OR operator with specific precedence rules. A query like A B | C is interpreted as (A AND B) OR C. By injecting }) | (@thread_id:{* into a filter value, an attacker can append an OR clause that matches all threads, effectively bypassing the thread isolation constraint.

The injected query (@thread_id:{legitimate-thread}) (@source:{x}) | (@thread_id:{*}) matches:

Documents with thread_id:legitimate-thread AND source:x, OR
Documents with ANY thread_id

The second clause matches all threads, bypassing thread isolation entirely.

Who is affected?

Applications are vulnerable if they:

Pass user-controlled input to filter parameters — When using getStateHistory() or checkpointer.list() with filter values derived from user input, HTTP parameters, or other untrusted sources.
Use Redis checkpointing in multi-tenant applications — Applications that rely on thread isolation to separate data between users or tenants are at risk of cross-tenant data access.

The most common attack vector is through API endpoints that expose filtering capabilities to end users, allowing them to search or filter their conversation history.

Impact

Attackers who control filter input can bypass thread isolation by injecting RediSearch OR operators to construct queries that match all threads regardless of the intended thread constraint. This enables access to checkpoint data from threads the attacker is not authorized to view.

Key severity factors:

Enables complete bypass of thread-based access controls
Sensitive conversation data from other users may be exposed
Affects multi-tenant applications relying on thread isolation for data separation
Requires only control over filter input values (common in user-facing APIs)

Exploit example

import { RedisSaver } from "@langchain/langgraph-checkpoint-redis";

const saver = new RedisSaver({ /* redis config */ });

// Normal usage - should only see thread "user-123-thread"
const legitHistory = saver.list({
  configurable: { thread_id: "user-123-thread" }
}, {
  filter: { source: "loop" }
});

// Attacker crafts malicious filter value
const attackerFilter = {
  source: "x}) | (@thread_id:{*"  // Injects OR clause matching ALL threads
};

// This produces a query like:
// (@thread_id:{user-123-thread}) (@source:{x}) | (@thread_id:{*})
// Due to precedence, this matches ALL threads!

const stolenHistory = saver.list({
  configurable: { thread_id: "user-123-thread" }
}, {
  filter: attackerFilter
});

// stolenHistory now contains checkpoints from ALL threads - DATA LEAKED!

Security hardening changes

The 1.0.2 patch introduces the following changes:

Escape utility function: A new escapeRediSearchTagValue() function properly escapes all RediSearch special characters (- . < > { } [ ] " ' : ; ! @ # $ % ^ & * ( ) + = ~ | \ ? /) by prefixing them with backslashes.
Filter key escaping: All filter keys are escaped before being used in query construction.
Filter value escaping: All filter values are escaped before being interpolated into RediSearch tag queries.

Migration guide

No changes needed for most users

The fix is backward compatible. Existing code will work without modifications—filter values that previously worked will continue to work, with the added protection against injection:

import { RedisSaver } from "@langchain/langgraph-checkpoint-redis";

// Works exactly as before, now with injection protection
const history = saver.list(config, {
  filter: { source: "loop" }
});

If you were relying on special characters

If your application intentionally used RediSearch syntax in filter values (unlikely but possible), be aware that these characters will now be escaped and treated as literals.

For applications with user-facing filters

No code changes required, but this is a good time to review your API design:

// Before: Vulnerable to injection
app.get("/history", async (req, res) => {
  const history = await saver.list(config, {
    filter: req.query.filter  // User-controlled - was vulnerable
  });
});

// After: Now safe, but consider validating allowed filter keys
app.get("/history", async (req, res) => {
  const allowedKeys = ["source", "step"];
  const sanitizedFilter = Object.fromEntries(
    Object.entries(req.query.filter || {})
      .filter(([key]) => allowedKeys.includes(key))
  );
  const history = await saver.list(config, {
    filter: sanitizedFilter
  });
});

Recommendation: Even with the fix in place, consider validating that filter keys are from an allowed list as a defense-in-depth measure.

References

Severity ?

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@langchain/langgraph-checkpoint-redis"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27022"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-74"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-18T22:40:09Z",
    "nvd_published_at": "2026-02-20T22:16:28Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nA query injection vulnerability exists in the `@langchain/langgraph-checkpoint-redis` package\u0027s filter handling. The `RedisSaver` and `ShallowRedisSaver` classes construct RediSearch queries by directly interpolating user-provided filter keys and values without proper escaping. RediSearch has special syntax characters that can modify query behavior, and when user-controlled data contains these characters, the query logic can be manipulated to bypass intended access controls.\n\n## Attack surface\n\nThe core vulnerability was in the `list()` methods of both `RedisSaver` and `ShallowRedisSaver`: these methods failed to escape RediSearch special characters in filter keys and values when constructing queries. When unescaped data containing RediSearch syntax was used, the injected operators were interpreted by RediSearch rather than treated as literal search values.\n\nThis escaping bug enabled the following attack vector:\n\n- **Thread boundary escape via OR operator**: RediSearch uses `|` as an OR operator with specific precedence rules. A query like `A B | C` is interpreted as `(A AND B) OR C`. By injecting `}) | (@thread_id:{*` into a filter value, an attacker can append an OR clause that matches all threads, effectively bypassing the thread isolation constraint.\n\nThe injected query `(@thread_id:{legitimate-thread}) (@source:{x}) | (@thread_id:{*})` matches:\n\n- Documents with `thread_id:legitimate-thread AND source:x`, OR\n- Documents with ANY `thread_id`\n\nThe second clause matches all threads, bypassing thread isolation entirely.\n\n## Who is affected?\n\nApplications are vulnerable if they:\n\n- **Pass user-controlled input to filter parameters** \u2014 When using `getStateHistory()` or `checkpointer.list()` with filter values derived from user input, HTTP parameters, or other untrusted sources.\n- **Use Redis checkpointing in multi-tenant applications** \u2014 Applications that rely on thread isolation to separate data between users or tenants are at risk of cross-tenant data access.\n\nThe most common attack vector is through API endpoints that expose filtering capabilities to end users, allowing them to search or filter their conversation history.\n\n## Impact\n\nAttackers who control filter input can bypass thread isolation by injecting RediSearch OR operators to construct queries that match all threads regardless of the intended thread constraint. This enables access to checkpoint data from threads the attacker is not authorized to view.\n\nKey severity factors:\n\n- Enables complete bypass of thread-based access controls\n- Sensitive conversation data from other users may be exposed\n- Affects multi-tenant applications relying on thread isolation for data separation\n- Requires only control over filter input values (common in user-facing APIs)\n\n## Exploit example\n\n```typescript\nimport { RedisSaver } from \"@langchain/langgraph-checkpoint-redis\";\n\nconst saver = new RedisSaver({ /* redis config */ });\n\n// Normal usage - should only see thread \"user-123-thread\"\nconst legitHistory = saver.list({\n  configurable: { thread_id: \"user-123-thread\" }\n}, {\n  filter: { source: \"loop\" }\n});\n\n// Attacker crafts malicious filter value\nconst attackerFilter = {\n  source: \"x}) | (@thread_id:{*\"  // Injects OR clause matching ALL threads\n};\n\n// This produces a query like:\n// (@thread_id:{user-123-thread}) (@source:{x}) | (@thread_id:{*})\n// Due to precedence, this matches ALL threads!\n\nconst stolenHistory = saver.list({\n  configurable: { thread_id: \"user-123-thread\" }\n}, {\n  filter: attackerFilter\n});\n\n// stolenHistory now contains checkpoints from ALL threads - DATA LEAKED!\n```\n\n## Security hardening changes\n\nThe 1.0.2 patch introduces the following changes:\n\n- **Escape utility function**: A new `escapeRediSearchTagValue()` function properly escapes all RediSearch special characters (`- . \u003c \u003e { } [ ] \" \u0027 : ; ! @ # $ % ^ \u0026 * ( ) + = ~ | \\ ? /`) by prefixing them with backslashes.\n- **Filter key escaping**: All filter keys are escaped before being used in query construction.\n- **Filter value escaping**: All filter values are escaped before being interpolated into RediSearch tag queries.\n\n## Migration guide\n\n### No changes needed for most users\n\nThe fix is backward compatible. Existing code will work without modifications\u2014filter values that previously worked will continue to work, with the added protection against injection:\n\n```typescript\nimport { RedisSaver } from \"@langchain/langgraph-checkpoint-redis\";\n\n// Works exactly as before, now with injection protection\nconst history = saver.list(config, {\n  filter: { source: \"loop\" }\n});\n```\n\n### If you were relying on special characters\n\nIf your application intentionally used RediSearch syntax in filter values (unlikely but possible), be aware that these characters will now be escaped and treated as literals.\n\n### For applications with user-facing filters\n\nNo code changes required, but this is a good time to review your API design:\n\n```typescript\n// Before: Vulnerable to injection\napp.get(\"/history\", async (req, res) =\u003e {\n  const history = await saver.list(config, {\n    filter: req.query.filter  // User-controlled - was vulnerable\n  });\n});\n\n// After: Now safe, but consider validating allowed filter keys\napp.get(\"/history\", async (req, res) =\u003e {\n  const allowedKeys = [\"source\", \"step\"];\n  const sanitizedFilter = Object.fromEntries(\n    Object.entries(req.query.filter || {})\n      .filter(([key]) =\u003e allowedKeys.includes(key))\n  );\n  const history = await saver.list(config, {\n    filter: sanitizedFilter\n  });\n});\n```\n\n\u003e **Recommendation**: Even with the fix in place, consider validating that filter keys are from an allowed list as a defense-in-depth measure.\n\n## References\n\n- [RediSearch Query Syntax](https://redis.io/docs/interact/search-and-query/query/)\n- [LangGraph Checkpoint Documentation](https://langchain-ai.github.io/langgraphjs/)",
  "id": "GHSA-5mx2-w598-339m",
  "modified": "2026-02-23T22:20:29Z",
  "published": "2026-02-18T22:40:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/langchain-ai/langgraphjs/security/advisories/GHSA-5mx2-w598-339m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27022"
    },
    {
      "type": "WEB",
      "url": "https://github.com/langchain-ai/langgraphjs/pull/1943"
    },
    {
      "type": "WEB",
      "url": "https://github.com/langchain-ai/langgraphjs/commit/814c76dc3938d0f6f7e17ca3bc11d6a12270b2a1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/langchain-ai/langgraphjs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/langchain-ai/langgraphjs/releases/tag/@langchain/langgraph-checkpoint-redis@1.0.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "RediSearch Query Injection in @langchain/langgraph-checkpoint-redis"
}

FKIE_CVE-2026-27022

Vulnerability from fkie_nvd - Published: 2026-02-20 22:16 - Updated: 2026-02-23 18:14

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/langchain-ai/langgraphjs/commit/814c76dc3938d0f6f7e17ca3bc11d6a12270b2a1
	security-advisories@github.com	https://github.com/langchain-ai/langgraphjs/pull/1943
	security-advisories@github.com	https://github.com/langchain-ai/langgraphjs/releases/tag/@langchain/langgraph-checkpoint-redis@1.0.2
	security-advisories@github.com	https://github.com/langchain-ai/langgraphjs/security/advisories/GHSA-5mx2-w598-339m

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "@langchain/langgraph-checkpoint-redis is the Redis checkpoint and store implementation for LangGraph. A query injection vulnerability exists in the @langchain/langgraph-checkpoint-redis package\u0027s filter handling. The RedisSaver and ShallowRedisSaver classes construct RediSearch queries by directly interpolating user-provided filter keys and values without proper escaping. RediSearch has special syntax characters that can modify query behavior, and when user-controlled data contains these characters, the query logic can be manipulated to bypass intended access controls. This vulnerability is fixed in 1.0.2."
    }
  ],
  "id": "CVE-2026-27022",
  "lastModified": "2026-02-23T18:14:13.887",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-20T22:16:28.480",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/langchain-ai/langgraphjs/commit/814c76dc3938d0f6f7e17ca3bc11d6a12270b2a1"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/langchain-ai/langgraphjs/pull/1943"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/langchain-ai/langgraphjs/releases/tag/@langchain/langgraph-checkpoint-redis@1.0.2"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/langchain-ai/langgraphjs/security/advisories/GHSA-5mx2-w598-339m"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-74"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-27022 (GCVE-0-2026-27022)

GHSA-5MX2-W598-339M

Summary

Attack surface

Who is affected?

Impact

Exploit example

Security hardening changes

Migration guide

No changes needed for most users

If you were relying on special characters

For applications with user-facing filters

References

FKIE_CVE-2026-27022

Tags

Sightings

Nomenclature