LangGraph Checkpoint Redis Query Injection (CVE-2026-27022)

Executive Summary

What: A medium-severity query injection vulnerability (CVE-2026-27022, CVSS 6.5) exists in the @langchain/langgraph-checkpoint-redis npm package (versions prior to 1.0.2). The RedisSaver and ShallowRedisSaver classes construct RediSearch queries by directly interpolating user-supplied filter keys and values without escaping special syntax characters, enabling an attacker to inject operators that modify query logic and bypass thread-isolation controls (GHSA-5mx2-w598-339m).

So What: In multi-tenant LangGraph deployments that use Redis-backed checkpointing, a low-privilege authenticated user can inject RediSearch syntax into filter parameters to retrieve checkpoint data belonging to other tenants' threads. This exposes conversation history, agent execution state, intermediate reasoning steps, and any data serialised into checkpoint fields -- a direct confidentiality breach with no integrity or availability impact (NVD). The CVSS vector confirms HIGH confidentiality impact with only low privileges required (NVD).

Now What: Organisations running @langchain/langgraph-checkpoint-redis should upgrade to version 1.0.2 immediately (GHSA-5mx2-w598-339m). As defence-in-depth, validate and sanitise all filter parameters passed to list() or getStateHistory() before they reach the checkpoint layer. Multi-tenant deployments should evaluate architectural isolation strategies beyond thread-level separation within a shared Redis instance.

Risk Rating

Affected Products

Am I Affected?

• Check if @langchain/langgraph-checkpoint-redis appears in your package.json or package-lock.json
• Verify the installed version: any version prior to 1.0.2 is vulnerable (GHSA-5mx2-w598-339m)
• Determine whether your deployment is multi-tenant (multiple users or organisational units sharing a single LangGraph + Redis instance)
• Assess whether user-supplied input can reach the filter parameter of list() or getStateHistory() calls
• Confirm whether the target Redis instance has the RediSearch module loaded (the vulnerability is specific to RediSearch query syntax)

Abstract

CVE-2026-27022 is a medium-severity query injection vulnerability in the @langchain/langgraph-checkpoint-redis npm package, part of the LangChain/LangGraph ecosystem for building stateful AI agent applications. The RedisSaver and ShallowRedisSaver classes accept user-provided filter parameters for listing checkpoints and construct RediSearch queries by directly interpolating these values without escaping special characters (GHSA-5mx2-w598-339m). RediSearch uses syntax characters including {, }, |, @, and * as query operators (GHSA-5mx2-w598-339m). By injecting a crafted payload such as }) | (@thread_id:{* into a filter value, an attacker appends an OR clause that matches all threads, breaking the intended thread-isolation boundary and exposing checkpoint data from other tenants (GHSA-5mx2-w598-339m). The fix in version 1.0.2 introduces an escapeRediSearchTagValue() utility function that escapes all RediSearch special characters in both filter keys and values before query construction (Patch commit 814c76dc). The vulnerability is classified as CWE-74 (Improper Neutralisation of Special Elements in Output Used by a Downstream Component) (NVD) and carries a CVSS v3.1 score of 6.5 with HIGH confidentiality impact but no integrity or availability impact (NVD).

Key Findings

1. RediSearch query injection via unescaped filter parameters -- The RedisSaver.list() and ShallowRedisSaver.list() methods embed user-supplied filter keys and values directly into RediSearch query strings without escaping special syntax characters, enabling query logic manipulation (GHSA-5mx2-w598-339m).

2. Thread-isolation bypass in multi-tenant deployments -- By injecting an OR operator and wildcard thread match (}) | (@thread_id:{*), an attacker can cause RediSearch to return checkpoint documents from all threads rather than only the caller's own, defeating the intended access control boundary (GHSA-5mx2-w598-339m).

3. Read-only impact -- Successful exploitation yields unauthorised read access to checkpoint data. There is no write path through this vulnerability; the attacker cannot modify or delete checkpoints belonging to other tenants (NVD: I:N, A:N).

4. Both keys and values are injectable -- The advisory confirms that both filter keys and filter values are interpolated without escaping, meaning injection may be achieved through either parameter position (GHSA-5mx2-w598-339m).

5. Patch escapes special characters at the query construction layer -- The fix imports escapeRediSearchTagValue() and applies it to both the key and value before embedding them into the RediSearch query template, ensuring special characters are treated as literals rather than operators (Patch commit 814c76dc).

Attack Flow

+---------------------+
|  1. AUTHENTICATE    |  Attacker authenticates as low-privilege user
|  Low-privilege user |  in multi-tenant LangGraph application
+----------+----------+  (NVD: PR:L)
           |
           v
+---------------------+
|  2. IDENTIFY FILTER |  Attacker locates checkpoint listing
|  INJECTION POINT    |  interface (API, SDK) that passes
|                     |  caller-supplied filters to list()
+----------+----------+  (GHSA-5mx2-w598-339m)
           |
           v
+---------------------+
|  3. CRAFT PAYLOAD   |  Filter value:
|  RediSearch inject  |  }) | (@thread_id:{*
|                     |  Closes tag filter, appends OR wildcard
+----------+----------+  (GHSA-5mx2-w598-339m)
           |
           v
+---------------------+
|  4. QUERY MODIFIED  |  RediSearch interprets injected operators
|  Thread isolation   |  OR branch matches ALL thread IDs
|  bypassed           |  in the checkpoint index
+----------+----------+  (GHSA-5mx2-w598-339m)
           |
           v
+---------------------+
|  5. DATA EXFILTRATE |  Checkpoint data from other tenants
|  Cross-tenant read  |  returned to attacker: conversation
|  Confidentiality:H  |  history, agent state, tool calls
+---------------------+  (NVD: C:H)

Technical Details

Vulnerability Mechanics

The @langchain/langgraph-checkpoint-redis package provides persistent checkpoint storage for LangGraph agent applications using Redis with the RediSearch module. The RedisSaver and ShallowRedisSaver classes implement a list() method that accepts a filter parameter, enabling callers to retrieve checkpoints matching specific criteria (GHSA-5mx2-w598-339m).

Internally, the list() method constructs a RediSearch query by iterating over the caller-supplied filter object and embedding each key-value pair into a tag-filter expression using string interpolation:

(@<key>:{<value>})

No escaping or sanitisation of RediSearch special characters is applied to either the key or value before interpolation (GHSA-5mx2-w598-339m). RediSearch's query syntax reserves a set of characters -- including {, }, |, @, *, -, (, ), and space -- as operators that control query logic (GHSA-5mx2-w598-339m). When these characters appear in a filter value that is embedded verbatim, the RediSearch engine interprets them as query syntax rather than as literal data.

Exploitation Mechanism

An attacker crafts a filter value containing RediSearch operators designed to break out of the current tag-filter expression and append a wildcard match. The advisory documents the following illustrative payload structure (GHSA-5mx2-w598-339m):

source: "x}) | (@thread_id:{*"

When this value is interpolated into the query template, the resulting RediSearch query becomes:

(@source:{x}) | (@thread_id:{*})

This query has two branches joined by an OR operator: - (@source:{x}) -- matches the attacker's original (likely empty) filter - (@thread_id:{*}) -- matches ALL threads in the checkpoint index

RediSearch evaluates the OR and returns checkpoint documents from every thread stored under the affected Redis key prefix, not only those belonging to the attacker's session (GHSA-5mx2-w598-339m).

CVSS Vector Analysis

The CVSS:3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD) reflects:

• Attack Vector: Network -- exploitable remotely over any network
• Attack Complexity: Low -- no special conditions or race conditions required
• Privileges Required: Low -- the attacker needs a valid low-privilege authenticated session
• User Interaction: None -- no victim action required
• Scope: Unchanged -- the impact is confined to the vulnerable component's data
• Confidentiality: High -- full read access to checkpoint data across tenant boundaries
• Integrity: None -- no write capability
• Availability: None -- no denial of service

Weakness Classification

CWE-74: Improper Neutralisation of Special Elements in Output Used by a Downstream Component (NVD). This classification reflects the core issue: the application constructs output (a RediSearch query) using upstream input (filter parameters) without neutralising characters that have special meaning in the downstream component (the RediSearch engine).

Patch Analysis

The fix introduced in commit 814c76dc3938d0f6f7e17ca3bc11d6a12270b2a1 addresses the vulnerability at the query construction layer (Patch commit 814c76dc):

• Imports the escapeRediSearchTagValue() utility function
• Applies escaping to both the filter key and filter value before embedding them into the query string
• The escaped construction becomes:

const escapedKey = escapeRediSearchTagValue(key);
const escapedValue = escapeRediSearchTagValue(value);
queryParts.push(`(@${escapedKey}:{${escapedValue}})`);

This ensures that all RediSearch special characters in user-supplied input are treated as literals rather than query operators (Patch commit 814c76dc).

The same commit also addresses a related injection vector in the MongoDB checkpoint saver (@langchain/langgraph-checkpoint-mongodb), adding primitive type validation to reject object-based MongoDB operator injection attempts (Patch commit 814c76dc).

Confidence & Validation

Assessment Confidence: High

Reporter and Remediation Credits

• Reporter: yardenporat353 (GHSA-5mx2-w598-339m)
• Remediation Developer: hntrl (GHSA-5mx2-w598-339m)

Detection Signatures (Formal Rules)

Prerequisites: The following detection rules require specific logging and instrumentation capabilities. Sigma Rule 1 assumes web server logs expose raw query characters (|, {*, @thread_id); URL-encoded or normalised logs may not match. The cross-thread session correlation rule (Sigma Rule 4) requires custom application-level instrumentation to track checkpoint thread IDs per user session -- this is not available in default LangGraph deployments.

Sigma Rule 1 -- Application: RediSearch Injection Characters in Filter Parameters

Detects HTTP requests to a LangGraph checkpoint API endpoint containing RediSearch special characters in filter parameter values, consistent with exploitation of CVE-2026-27022 (GHSA-5mx2-w598-339m).

title: LangGraph Checkpoint Redis -- RediSearch Injection Characters in Filter Parameter
id: raxe-2026-025-app-001
status: experimental
description: >
  Detects HTTP requests to a LangGraph checkpoint API endpoint that contain
  RediSearch special characters in filter parameter values. The
  @langchain/langgraph-checkpoint-redis package (< 1.0.2) does not escape these
  characters before embedding filter values into RediSearch query strings, enabling
  an attacker to inject OR operators and wildcard clauses that bypass thread
  isolation in multi-tenant deployments (GHSA-5mx2-w598-339m; CVE-2026-27022).
references:
  - https://github.com/advisories/GHSA-5mx2-w598-339m
  - https://nvd.nist.gov/vuln/detail/CVE-2026-27022
author: RAXE Labs (M. Hirani)
date: 2026-03-09
tags:
  - cve.2026-27022
  - attack.collection
  - attack.t1530
logsource:
  category: webserver
  product: generic
detection:
  selection_path:
    cs-uri-stem|contains:
      - '/checkpoint'
      - '/state_history'
      - '/getStateHistory'
      - '/list'
  selection_injection_chars:
    cs-uri-query|contains:
      - '|'
      - '{*'
      - '@thread_id'
      - '})'
  condition: selection_path and selection_injection_chars
falsepositives:
  - Legitimate applications that pass structured filter objects encoded in query
    parameters where curly braces or pipe characters appear in encoded form; tune
    against baseline traffic for the specific API
  - URL-encoded variants of the same characters (e.g. %7B, %7C, %7D) may not be
    matched by this rule in log sources that do not normalise URL encoding before
    writing log entries; a complementary rule covering encoded forms is advisable
level: medium

Sigma Rule 2 -- Redis: FT.SEARCH with OR Operator or Wildcard Thread Match

Detects Redis FT.SEARCH commands containing an explicit OR operator or a wildcard thread_id match, indicating successful query injection consistent with CVE-2026-27022 (GHSA-5mx2-w598-339m).

title: LangGraph Checkpoint Redis -- FT.SEARCH Command with OR Operator or Wildcard Thread
id: raxe-2026-025-redis-001
status: experimental
description: >
  Detects Redis FT.SEARCH commands that contain an explicit OR operator ('|') or a
  wildcard thread_id match ('thread_id:{*'). In a correctly operating
  @langchain/langgraph-checkpoint-redis deployment the checkpoint query should match
  a single, fully-specified thread identifier; the presence of an OR branch or a
  wildcard indicates that query injection has successfully modified the query
  structure, consistent with exploitation of CVE-2026-27022
  (GHSA-5mx2-w598-339m).
references:
  - https://github.com/advisories/GHSA-5mx2-w598-339m
  - https://nvd.nist.gov/vuln/detail/CVE-2026-27022
author: RAXE Labs (M. Hirani)
date: 2026-03-09
tags:
  - cve.2026-27022
  - attack.collection
logsource:
  product: redis
  category: command
detection:
  selection_command:
    CommandName: 'FT.SEARCH'
  selection_injection_pattern:
    CommandArguments|contains:
      - ' | '
      - '|(@'
      - 'thread_id:{*'
      - '}) |'
  condition: selection_command and selection_injection_pattern
falsepositives:
  - Redis deployments where the application legitimately constructs multi-branch
    OR queries for business logic purposes unrelated to checkpoint isolation; such
    usage would be unusual for a checkpoint store and should be investigated
  - FT.SEARCH commands issued by monitoring or introspection tooling that queries
    checkpoint indices without a thread-scoping filter
level: high

Sigma Rule 3 -- Redis: FT.SEARCH on LangGraph Checkpoint Index Matching All Threads

Detects FT.SEARCH commands where the query body contains a wildcard match for all thread identifiers, consistent with the advisory-documented injection payload (GHSA-5mx2-w598-339m).

title: LangGraph Checkpoint Redis -- FT.SEARCH Returning Results Across All Thread IDs
id: raxe-2026-025-redis-002
status: experimental
description: >
  Detects FT.SEARCH commands issued against a LangGraph checkpoint index where the
  query body contains a wildcard match for all thread identifiers ('@thread_id:{*}').
  The advisory-documented injection payload closes the caller's tag filter and appends
  '@thread_id:{*' to match every thread stored in the index, bypassing the
  thread-isolation boundary that protects multi-tenant checkpoint data
  (GHSA-5mx2-w598-339m; CVE-2026-27022).
references:
  - https://github.com/advisories/GHSA-5mx2-w598-339m
  - https://nvd.nist.gov/vuln/detail/CVE-2026-27022
author: RAXE Labs (M. Hirani)
date: 2026-03-09
tags:
  - cve.2026-27022
  - attack.collection
logsource:
  product: redis
  category: command
detection:
  selection_command:
    CommandName: 'FT.SEARCH'
  selection_wildcard_thread:
    CommandArguments|contains:
      - '@thread_id:{*'
      - 'thread_id:{*}'
  condition: selection_command and selection_wildcard_thread
falsepositives:
  - Administrative queries issued by Redis operators intentionally listing all
    checkpoints for maintenance or debugging purposes; these should originate from
    authorised operator sessions and can be excluded by source IP or user principal
level: high

Sigma Rule 4 -- Audit: Cross-Thread Checkpoint Access by a Single Session

Detects a pattern where a single authenticated session retrieves checkpoint records associated with more than one distinct thread_id within a short time window, consistent with successful exploitation of CVE-2026-27022 (GHSA-5mx2-w598-339m).

title: LangGraph Checkpoint Redis -- Single Session Accessing Multiple Distinct Thread IDs
id: raxe-2026-025-audit-001
status: experimental
description: >
  Detects a pattern where a single authenticated session retrieves checkpoint records
  associated with more than one distinct thread_id within a short time window. In a
  correctly operating multi-tenant LangGraph deployment each user session is scoped to
  its own thread; access to checkpoint data from two or more distinct threads by one
  session is anomalous and consistent with successful exploitation of the thread-isolation
  bypass described in CVE-2026-27022 (GHSA-5mx2-w598-339m; NVD).
  This rule requires application-layer audit logging that records the session
  identifier and the thread_id values present in checkpoint API responses.
references:
  - https://github.com/advisories/GHSA-5mx2-w598-339m
  - https://nvd.nist.gov/vuln/detail/CVE-2026-27022
author: RAXE Labs (M. Hirani)
date: 2026-03-09
tags:
  - cve.2026-27022
  - attack.collection
logsource:
  category: application
  product: langgraph
  definition: >
    Requires application-level structured audit logs that record: session_id (or
    equivalent caller identity), the thread_id values returned in checkpoint list
    responses, and a timestamp. This is not emitted by the package itself;
    the consuming application must instrument its checkpoint access.
detection:
  selection:
    EventType: 'checkpoint_list_response'
  aggregate:
    GroupBy: session_id
    DistinctCount:
      Field: thread_id
      Threshold: 2
      Timeframe: 5m
  condition: selection | aggregate
falsepositives:
  - Application-layer components (e.g., admin dashboards, monitoring agents) that
    legitimately iterate across threads on behalf of a service account; exclude
    known service account identifiers from this rule
  - Session migration or replayed checkpoint reads during failover scenarios
level: medium

Detection & Mitigation

Immediate Actions

1. Upgrade to version 1.0.2 -- This is the primary remediation. The patch introduces escapeRediSearchTagValue() to sanitise all filter keys and values before query construction, eliminating the injection vector (GHSA-5mx2-w598-339m).

2. Assess exposure -- Identify all LangGraph deployments in the environment that use @langchain/langgraph-checkpoint-redis. Determine whether the deployment is multi-tenant and whether filter parameters are derived from user input (RAXE assessment).

3. Input validation at the application layer -- As defence-in-depth, validate filter keys against an allowlist before passing them to list() or getStateHistory(). Reject filter values containing RediSearch special characters ({, }, |, @, *) at the application boundary (GHSA-5mx2-w598-339m).

Detection Guidance

• Redis command monitoring -- Deploy Sigma Rules 2 and 3 to detect FT.SEARCH commands containing OR operators or wildcard thread matches. This requires Redis slow-query logging (slowlog-log-slower-than 0 in test; tune for production) or a command-recording proxy such as RedisInsight (RAXE assessment).
• Web application layer -- Deploy Sigma Rule 1 on web server access logs to detect RediSearch special characters in checkpoint-related API requests. Ensure query strings are not truncated in log output.
• Audit correlation -- Deploy Sigma Rule 4 as a SIEM correlation rule to detect sessions accessing checkpoints across multiple distinct thread IDs within a short window. This requires application-level instrumentation.

Strategic Recommendations

• Evaluate architectural isolation -- Multi-tenant LangGraph deployments should consider whether separate Redis instances or namespaces per tenant provide stronger isolation than thread-level separation within a shared instance. Thread-isolation is a logical boundary; infrastructure-level separation provides defence-in-depth (RAXE assessment).
• Audit LangGraph dependency chain -- The @langchain/langgraph-checkpoint-redis package is one component in the LangGraph ecosystem. Review all checkpoint savers (Redis, MongoDB, PostgreSQL) for similar input handling patterns. The same commit that fixes this CVE also addresses a related injection vector in the MongoDB checkpoint saver (Patch commit 814c76dc).
• Treat checkpoint stores as security-sensitive -- Checkpoint data in agent applications may contain conversation history, reasoning traces, tool call parameters, and intermediate results. Apply the same access control rigour to checkpoint storage as to any data store holding sensitive user data (RAXE assessment).

Indicators of Compromise

Strategic Context

This vulnerability illustrates a pattern seen in at least two checkpoint savers in the LangGraph ecosystem (Redis and MongoDB, both addressed in the same patch commit): security-sensitive query construction in checkpoint and state management layers that lacks adequate input sanitisation (Patch commit 814c76dc).

AI agent state stores are an emerging attack surface. As LangGraph, LangChain, and similar frameworks mature, stateful agent architectures increasingly rely on persistent checkpoint storage for durability, recovery, and multi-step execution. The LangGraph ecosystem provides checkpoint savers for at least Redis and MongoDB (both addressed in Patch commit 814c76dc) as well as PostgreSQL (npm: @langchain/langgraph-checkpoint-postgres). Each backend introduces its own query syntax, and each requires input escaping appropriate to its downstream interpreter. The pattern of injecting query operators through user-controlled parameters is well-understood in traditional web application security (SQL injection, NoSQL injection, LDAP injection) but is appearing in AI agent infrastructure where developers may not apply the same defensive rigour to checkpoint queries as they would to a primary database (RAXE assessment).

Multi-tenancy amplifies impact. The thread-isolation model in LangGraph assumes that the checkpoint store itself enforces access boundaries through query-level filtering (GHSA-5mx2-w598-339m). When that filtering is bypassable, the blast radius extends to every tenant sharing the same Redis instance. This is analogous to horizontal privilege escalation in SaaS applications -- the vulnerability itself is medium-severity, but the business impact in a shared environment can be significant (RAXE assessment).

Supply chain trust assumptions. Organisations adopting LangGraph's checkpoint packages may treat them as opaque infrastructure dependencies, trusting that the framework handles security-sensitive operations correctly. This finding reinforces the importance of treating AI framework dependencies as first-order security-relevant components, subject to the same review, scanning, and version-pinning discipline applied to database drivers, authentication libraries, and other security-critical dependencies (RAXE assessment).

The fix pattern is instructive. The remediation -- escaping special characters at the query construction boundary -- is the textbook response to injection vulnerabilities (Patch commit 814c76dc). That this pattern was absent from the initial implementation suggests that the RediSearch query syntax was not treated as a security-relevant interpreter during development (RAXE assessment). Organisations building on top of specialised query languages (RediSearch, Cypher, SPARQL, and similar) should audit their query construction code for the same category of flaw (RAXE assessment).

References

1. GHSA-5mx2-w598-339m -- LangGraph Checkpoint Redis Query Injection advisory, published 2026-02-17, updated 2026-02-23 (GHSA-5mx2-w598-339m)
2. CVE-2026-27022 -- NVD entry, CVSS 6.5 MEDIUM, CWE-74, published 2026-02-20 (NVD)
3. Patch Commit 814c76dc -- Fix introducing escapeRediSearchTagValue() utility for Redis and input validation for MongoDB (Patch commit 814c76dc)
4. FIRST EPSS -- Exploit Prediction Scoring System data for CVE-2026-27022 (FIRST EPSS)