Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
IBM Langflow OSS 1.0.0 through 1.9.1 could allow remote code execution due to improper validation of symbolic links during archive extraction.
AnalysisAI
Remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.1 lets unauthenticated network attackers run arbitrary code by abusing how the platform handles symbolic links while unpacking uploaded archives. Because extraction does not properly validate symlink targets, a crafted archive can write files outside the intended directory and ultimately achieve code execution on the host. The flaw carries a critical CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and is reachable without authentication or user interaction, though no public exploit identified at time of analysis.
Technical ContextAI
Langflow OSS is an open-source, low-code platform for visually building LLM-driven and agentic workflows, where users frequently import and export 'flows' and components as packaged archives. This vulnerability is a CWE-22 (Improper Limitation of a Pathname to a Restricted Directory / Path Traversal) issue manifesting during archive extraction: when the application unpacks a user-supplied archive, it fails to validate symbolic links contained within it. This is the classic symlink/Zip-Slip extraction weakness, where a link entry can point to an absolute or relative path outside the extraction root, causing subsequent writes to land in attacker-chosen locations on disk - for example overwriting application code, configuration, or startup scripts that are later executed. No CPE strings were provided in the source data; affected products are identified only by the IBM/EUVD version ranges.
RemediationAI
The primary remediation is to upgrade to a fixed release as directed by the IBM advisory at https://www.ibm.com/support/pages/node/7273426 (patch available per vendor advisory); the exact fixed version number is not specified in the available data, so confirm it directly from that advisory before deploying. Until a patched build is applied, reduce exposure by restricting network access to the Langflow service so it is not reachable from untrusted networks (the trade-off is loss of remote/team access), and by placing authentication and a reverse proxy in front of the application to limit who can reach archive import functionality. Where operationally acceptable, disable or block the flow/component import-upload endpoints that trigger archive extraction (trade-off: users lose the ability to import packaged flows), and avoid extracting any untrusted archives. These are compensating controls only and do not remove the underlying symlink-handling defect.
Same weakness CWE-22 – Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32494
GHSA-25hm-qrp9-f25g