{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/langflow-oss-1.6.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.9,"id":"CVE-2026-8476"},{"cvss":9.9,"id":"CVE-2026-8481"},{"cvss":8.8,"id":"CVE-2026-7755"},{"cvss":9.8,"id":"CVE-2026-8505"},{"cvss":8.1,"id":"CVE-2026-13448"},{"cvss":8.8,"id":"CVE-2026-7667"},{"cvss":7.5,"id":"CVE-2026-7872"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Langflow OSS 1.0.0","Langflow OSS 1.1.0","Langflow OSS 1.2.0","Langflow OSS 1.3.0","Langflow OSS 1.4.0","Langflow OSS 1.5.0","Langflow OSS 1.6.0","Langflow OSS 1.7.0","Langflow OSS 1.8.0","Langflow OSS 1.9.0","Langflow OSS 1.10.0","Langflow OSS 1.0.0 through 1.10.0","Langflow OSS 1.10.1","Langflow OSS 1.0.0 through 1.10.1"],"_cs_severities":["critical"],"_cs_tags":["remote-code-execution","deserialization","python","langflow","web-vulnerability","rce","authentication-bypass","critical-vulnerability","ibm","vulnerability","path-traversal","file-write","web-application","data-exfiltration","data-integrity"],"_cs_type":"advisory","_cs_vendors":["IBM"],"content_html":"\u003cp\u003eIBM Langflow OSS, specifically versions 1.0.0 through 1.10.0, is affected by a critical remote code execution vulnerability, identified as CVE-2026-8476. The flaw resides within the \u003ccode\u003eAsyncDiskCache\u003c/code\u003e class, which is part of the application's disk-based caching mechanism. This class insecurely employs Python's \u003ccode\u003epickle.loads()\u003c/code\u003e function to deserialize cached objects without implementing validation, integrity verification, or authentication measures. This critical oversight allows an attacker to inject and process specially crafted malicious pickle payloads. By influencing cached data through various methods, such as direct file system access, malicious workflow inputs, custom components, or API manipulation, threat actors can trigger arbitrary code execution. Successful exploitation results in complete system compromise with the privileges of the Langflow server process.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains the ability to influence or replace data within Langflow's disk-based cache. This can be achieved via malicious workflow inputs, custom component uploads, API manipulation, or direct file system access to the cache directory.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious Python pickle payload designed to execute arbitrary system commands upon deserialization.\u003c/li\u003e\n\u003cli\u003eThe crafted malicious pickle payload is injected into or replaces legitimate cached data within Langflow's \u003ccode\u003eAsyncDiskCache\u003c/code\u003e directory on the server.\u003c/li\u003e\n\u003cli\u003eThe Langflow server process attempts to read and deserialize the manipulated cached object from disk using the vulnerable \u003ccode\u003epickle.loads()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eDuring the insecure deserialization process, the malicious pickle payload is executed on the host system.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution with the privileges of the Langflow server process.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the achieved code execution to gain complete system compromise and potentially establish persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-8476 leads to critical consequences, including arbitrary code execution and complete system compromise. Attackers can gain control over the Langflow server, allowing them to steal sensitive data, deploy further malware, disrupt operations, or use the compromised server as a foothold for lateral movement within the network. The vulnerability's high CVSS score of 9.9 reflects the severe impact and ease of exploitation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch IBM Langflow OSS installations to a version beyond 1.10.0 to remediate CVE-2026-8476.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls for Langflow instances, ensuring only authorized and trusted users can provide workflow inputs or custom components.\u003c/li\u003e\n\u003cli\u003eMonitor file system write events to Langflow's cache directories for unusual modifications or injections of suspicious files.\u003c/li\u003e\n\u003cli\u003eReview all API endpoints that could allow manipulation of cached data or workflow inputs for potential abuse, especially those mentioned in the overview.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-17T21:19:56Z","date_published":"2026-07-17T20:20:29Z","id":"https://feed.craftedsignal.io/briefs/2026-07-ibm-langflow-rce/","summary":"IBM Langflow OSS versions 1.0.0 through 1.10.0 contain a critical deserialization vulnerability (CVE-2026-8476) in its disk-based caching mechanism, which uses Python's unsafe `pickle.loads()` function without proper validation, allowing attackers to process malicious pickle payloads and achieve arbitrary code execution with the privileges of the Langflow server process, leading to complete system compromise.","title":"IBM Langflow OSS Remote Code Execution via Deserialization","url":"https://feed.craftedsignal.io/briefs/2026-07-ibm-langflow-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Langflow OSS 1.6.0","version":"https://jsonfeed.org/version/1.1"}