Skip to content
Threat Feed
critical advisory

IBM Langflow OSS Remote Code Execution via Deserialization

IBM Langflow OSS versions 1.0.0 through 1.10.0 contain a critical deserialization vulnerability (CVE-2026-8476) in its disk-based caching mechanism, which uses Python's unsafe `pickle.loads()` function without proper validation, allowing attackers to process malicious pickle payloads and achieve arbitrary code execution with the privileges of the Langflow server process, leading to complete system compromise.

What's new

  • l2 merged source coverage: IBM Langflow OSS Path Traversal Vulnerability (CVE-2026-13445) Jul 17, 21:19 via nvd
  • l2 added CVE-2026-7872 Jul 17, 20:30 via nvd
  • l2 added CVE-2026-13448 +3 Jul 17, 20:30 via nvd
  • l2 merged source coverage: CVE-2026-7667: IBM Langflow OSS Arbitrary File Write Vulnerability via Path Traversal Jul 17, 20:29 via nvd
  • l2 added detection rule: Detects CVE-2026-13448 Exploitation Attempt - IBM Langflow OSS RCE Jul 17, 20:23 via nvd

IBM Langflow OSS, specifically versions 1.0.0 through 1.10.0, is affected by a critical remote code execution vulnerability, identified as CVE-2026-8476. The flaw resides within the AsyncDiskCache class, which is part of the application's disk-based caching mechanism. This class insecurely employs Python's pickle.loads() function to deserialize cached objects without implementing validation, integrity verification, or authentication measures. This critical oversight allows an attacker to inject and process specially crafted malicious pickle payloads. By influencing cached data through various methods, such as direct file system access, malicious workflow inputs, custom components, or API manipulation, threat actors can trigger arbitrary code execution. Successful exploitation results in complete system compromise with the privileges of the Langflow server process.

Attack Chain

  1. An attacker gains the ability to influence or replace data within Langflow's disk-based cache. This can be achieved via malicious workflow inputs, custom component uploads, API manipulation, or direct file system access to the cache directory.
  2. The attacker crafts a malicious Python pickle payload designed to execute arbitrary system commands upon deserialization.
  3. The crafted malicious pickle payload is injected into or replaces legitimate cached data within Langflow's AsyncDiskCache directory on the server.
  4. The Langflow server process attempts to read and deserialize the manipulated cached object from disk using the vulnerable pickle.loads() function.
  5. During the insecure deserialization process, the malicious pickle payload is executed on the host system.
  6. The attacker achieves arbitrary code execution with the privileges of the Langflow server process.
  7. The attacker leverages the achieved code execution to gain complete system compromise and potentially establish persistence.

Impact

Successful exploitation of CVE-2026-8476 leads to critical consequences, including arbitrary code execution and complete system compromise. Attackers can gain control over the Langflow server, allowing them to steal sensitive data, deploy further malware, disrupt operations, or use the compromised server as a foothold for lateral movement within the network. The vulnerability's high CVSS score of 9.9 reflects the severe impact and ease of exploitation.

Recommendation

  • Immediately patch IBM Langflow OSS installations to a version beyond 1.10.0 to remediate CVE-2026-8476.
  • Implement strict access controls for Langflow instances, ensuring only authorized and trusted users can provide workflow inputs or custom components.
  • Monitor file system write events to Langflow's cache directories for unusual modifications or injections of suspicious files.
  • Review all API endpoints that could allow manipulation of cached data or workflow inputs for potential abuse, especially those mentioned in the overview.

Detection coverage 1

Detects CVE-2026-13448 Exploitation Attempt - IBM Langflow OSS RCE

high

Detects CVE-2026-13448 exploitation attempts targeting the public flow build endpoint in IBM Langflow OSS for unauthenticated remote code execution.

sigma tactics: execution, initial_access techniques: T1059, T1190 sources: webserver

Detection queries are available on the platform. Get full rules →

Indicators of compromise

1

url

TypeValue
urlhttps://www.ibm.com/support/pages/node/7278923