Skip to main content

IBM Langflow CVE-2026-7524

| EUVDEUVD-2026-32494 CRITICAL
Path Traversal (CWE-22)
2026-05-27 psirt@us.ibm.com GHSA-25hm-qrp9-f25g
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 19:49 vuln.today

DescriptionCVE.org

IBM Langflow OSS 1.0.0 through 1.9.1 could allow remote code execution due to improper validation of symbolic links during archive extraction.

AnalysisAI

Remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.1 lets unauthenticated network attackers run arbitrary code by abusing how the platform handles symbolic links while unpacking uploaded archives. Because extraction does not properly validate symlink targets, a crafted archive can write files outside the intended directory and ultimately achieve code execution on the host. The flaw carries a critical CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and is reachable without authentication or user interaction, though no public exploit identified at time of analysis.

Technical ContextAI

Langflow OSS is an open-source, low-code platform for visually building LLM-driven and agentic workflows, where users frequently import and export 'flows' and components as packaged archives. This vulnerability is a CWE-22 (Improper Limitation of a Pathname to a Restricted Directory / Path Traversal) issue manifesting during archive extraction: when the application unpacks a user-supplied archive, it fails to validate symbolic links contained within it. This is the classic symlink/Zip-Slip extraction weakness, where a link entry can point to an absolute or relative path outside the extraction root, causing subsequent writes to land in attacker-chosen locations on disk - for example overwriting application code, configuration, or startup scripts that are later executed. No CPE strings were provided in the source data; affected products are identified only by the IBM/EUVD version ranges.

RemediationAI

The primary remediation is to upgrade to a fixed release as directed by the IBM advisory at https://www.ibm.com/support/pages/node/7273426 (patch available per vendor advisory); the exact fixed version number is not specified in the available data, so confirm it directly from that advisory before deploying. Until a patched build is applied, reduce exposure by restricting network access to the Langflow service so it is not reachable from untrusted networks (the trade-off is loss of remote/team access), and by placing authentication and a reverse proxy in front of the application to limit who can reach archive import functionality. Where operationally acceptable, disable or block the flow/component import-upload endpoints that trigger archive extraction (trade-off: users lose the ability to import packaged flows), and avoid extracting any untrusted archives. These are compensating controls only and do not remove the underlying symlink-handling defect.

Share

CVE-2026-7524 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy