Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Network-reachable, low-complexity code injection requiring only a low-privileged account (PR:L); OS command execution breaks out of the app context (S:C) for full C/I/A loss.
Primary rating from Vendor (ibm).
CVSS VectorVendor: ibm
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
IBM Langflow OSS 1.0.0 through 1.10.0 allows authenticated attackers to execute arbitrary OS commands and read sensitive files including credentials, enabling complete system compromise and lateral movement.
AnalysisAI
Code injection in IBM Langflow OSS versions 1.0.0 through 1.10.0 lets an authenticated user execute arbitrary operating-system commands and read sensitive files such as stored credentials, escalating from low-privileged application access to full host compromise. Rated CVSS 9.9 with a scope-changing vector, the flaw enables lateral movement once an attacker holds any valid Langflow account. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated Langflow session (CVSS PR:L) reachable over the network (AV:N), with no user interaction (UI:N) and low complexity (AC:L) against versions 1.0.0-1.10.0. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals lean strongly toward genuine priority for any internet-reachable deployment: AV:N/AC:L means network-reachable, low-complexity exploitation, and S:C with C:H/I:H/A:H reflects full host takeover, yielding the 9.9 base score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained or been granted a low-privilege Langflow account crafts a flow or input that injects OS commands into the server-side runtime, then executes commands to read credential files on the host. Using those harvested secrets, the attacker pivots to connected systems for lateral movement. … |
| Remediation | Apply the fix referenced in IBM's advisory at https://www.ibm.com/support/pages/node/7278441 (Patch available per vendor advisory); the exact fixed version is not stated in the available data and must be taken from that page, so upgrade to the first release above 1.10.0 that IBM designates as patched. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all systems running IBM Langflow OSS versions 1.0.0-1.10.0; restrict network access to vulnerable instances pending patching. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Langflow Oss
View allUnauthenticated remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.3 allows attackers to fully comprom
Insecure deserialization (CWE-502) in IBM Langflow OSS versions 1.0.0 through 1.10.0 lets any party with access to the b
Arbitrary code execution in IBM Langflow OSS versions 1.0.0 through 1.10.0 allows remote attackers to run code on the ho
Authorization bypass in IBM Langflow OSS 1.0.0 through 1.8.4 allows unauthenticated remote attackers to access protected
Improper authorization enforcement in IBM Langflow OSS 1.0.0 through 1.9.6 lets unauthenticated remote attackers reach p
Credential disclosure in IBM Langflow OSS versions 1.0.0 through 1.10.0 stems from a weak, reversible key-derivation mec
Insecure direct object reference (IDOR) in IBM Langflow OSS 1.0.0 through 1.9.1 allows an authenticated user to read or
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40381
GHSA-v798-mcc6-2m3m