What is CVE-2026-48775?

CVE-2026-48775 is a medium-severity vulnerability in Langchain-ai Langgraph, classified under Deserialization of Untrusted Data. CVSS score: 6.8/10. Published 2026-06-16.

How severe is CVE-2026-48775?

Medium severity. CVSS v3 base score is 6.8 out of 10.

Deserialization in Langchain-ai Langgraph

CVE-2026-48775

LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). In versions 4.1.0 and prior, the JsonPlusSerializer can reconstruct Python objects from JSON checkpoint…

Vulnerability class: Insecure Deserialization

CVSS v3 metric

CVSS v3 base score 6.8 (Medium). Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.

Affected products

Langchain-ai Langgraph — versions < 1.2.2
Langchain-ai Langraph-checkpoint — versions < 4.1.1

Weakness classification (CWE)

CWE-502 — Deserialization of Untrusted Data
CWE-913 — Improper Control of Dynamically-Managed Code Resources

References

security-advisories@github.com (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2026-48775?: CVE-2026-48775 is a medium-severity vulnerability in Langchain-ai Langgraph, classified under Deserialization of Untrusted Data. CVSS score: 6.8/10. Published 2026-06-16.
How severe is CVE-2026-48775?: Medium severity. CVSS v3 base score is 6.8 out of 10.