<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Langflow OSS 1.2.0 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/langflow-oss-1.2.0/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 17 Jul 2026 20:20:29 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/langflow-oss-1.2.0/feed.xml" rel="self" type="application/rss+xml"/><item><title>IBM Langflow OSS Remote Code Execution via Deserialization</title><link>https://feed.craftedsignal.io/briefs/2026-07-ibm-langflow-rce/</link><pubDate>Fri, 17 Jul 2026 20:20:29 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-ibm-langflow-rce/</guid><description>IBM Langflow OSS versions 1.0.0 through 1.10.0 contain a critical deserialization vulnerability (CVE-2026-8476) in its disk-based caching mechanism, which uses Python's unsafe `pickle.loads()` function without proper validation, allowing attackers to process malicious pickle payloads and achieve arbitrary code execution with the privileges of the Langflow server process, leading to complete system compromise.</description><content:encoded><![CDATA[<p>IBM Langflow OSS, specifically versions 1.0.0 through 1.10.0, is affected by a critical remote code execution vulnerability, identified as CVE-2026-8476. The flaw resides within the <code>AsyncDiskCache</code> class, which is part of the application's disk-based caching mechanism. This class insecurely employs Python's <code>pickle.loads()</code> function to deserialize cached objects without implementing validation, integrity verification, or authentication measures. This critical oversight allows an attacker to inject and process specially crafted malicious pickle payloads. By influencing cached data through various methods, such as direct file system access, malicious workflow inputs, custom components, or API manipulation, threat actors can trigger arbitrary code execution. Successful exploitation results in complete system compromise with the privileges of the Langflow server process.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains the ability to influence or replace data within Langflow's disk-based cache. This can be achieved via malicious workflow inputs, custom component uploads, API manipulation, or direct file system access to the cache directory.</li>
<li>The attacker crafts a malicious Python pickle payload designed to execute arbitrary system commands upon deserialization.</li>
<li>The crafted malicious pickle payload is injected into or replaces legitimate cached data within Langflow's <code>AsyncDiskCache</code> directory on the server.</li>
<li>The Langflow server process attempts to read and deserialize the manipulated cached object from disk using the vulnerable <code>pickle.loads()</code> function.</li>
<li>During the insecure deserialization process, the malicious pickle payload is executed on the host system.</li>
<li>The attacker achieves arbitrary code execution with the privileges of the Langflow server process.</li>
<li>The attacker leverages the achieved code execution to gain complete system compromise and potentially establish persistence.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-8476 leads to critical consequences, including arbitrary code execution and complete system compromise. Attackers can gain control over the Langflow server, allowing them to steal sensitive data, deploy further malware, disrupt operations, or use the compromised server as a foothold for lateral movement within the network. The vulnerability's high CVSS score of 9.9 reflects the severe impact and ease of exploitation.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately patch IBM Langflow OSS installations to a version beyond 1.10.0 to remediate CVE-2026-8476.</li>
<li>Implement strict access controls for Langflow instances, ensuring only authorized and trusted users can provide workflow inputs or custom components.</li>
<li>Monitor file system write events to Langflow's cache directories for unusual modifications or injections of suspicious files.</li>
<li>Review all API endpoints that could allow manipulation of cached data or workflow inputs for potential abuse, especially those mentioned in the overview.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>remote-code-execution</category><category>deserialization</category><category>python</category><category>langflow</category><category>web-vulnerability</category><category>rce</category><category>authentication-bypass</category><category>critical-vulnerability</category><category>ibm</category><category>vulnerability</category><category>path-traversal</category><category>file-write</category><category>web-application</category><category>data-exfiltration</category><category>data-integrity</category></item></channel></rss>