Skip to main content

Langflow Oss CVE-2026-7874

| EUVDEUVD-2026-40380 CRITICAL
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CWE-338)
2026-06-30 ibm GHSA-32fv-f5hq-fmx9
9.1
CVSS 3.1 · Vendor: ibm
Share

Severity by source

Vendor (ibm) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from Vendor (ibm) · only source for this CVE.

CVSS VectorVendor: ibm

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 30, 2026 - 19:52 vuln.today

DescriptionCVE.org

IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow disclosure of all stored credentials due to the use of a weak and reversible key derivation mechanism for encryption at rest.

AnalysisAI

Credential disclosure in IBM Langflow OSS versions 1.0.0 through 1.10.0 stems from a weak, reversible key-derivation mechanism used to protect secrets encrypted at rest, allowing an attacker who can reach the stored credential data to recover the encryption key and decrypt every stored credential. Because Langflow stores API keys, database connection strings, and third-party service tokens used by AI workflow components, recovery of these secrets gives an attacker the keys to all integrated systems. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Recommended ActionAI

Within 24 hours: Inventory all systems running IBM Langflow OSS versions 1.0.0-1.10.0 and isolate or restrict network access as needed. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-7874 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy