A critical input-validation flaw in IBM Langflow OSS (versions 1.0.0 through 1.10.0) allows unauthenticated attackers to execute arbitrary code remotely, earning a CVSS score of 9.8.
What Is It
CVE-2026-7803 is an arbitrary code execution vulnerability in IBM Langflow OSS. According to IBM's advisory, the flaw stems from improper validation of flow nodes that contain missing or empty component type fields (CWE-20: Improper Input Validation). An attacker can leverage this weakness to run arbitrary code on affected systems.
The vulnerability carries a CVSS 3.1 base score of 9.8 (Critical) with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, meaning it is exploitable over the network, requires low attack complexity, needs no privileges or user interaction, and fully compromises confidentiality, integrity, and availability.
Why It Matters
Remote, unauthenticated code execution on an internet-reachable service is among the most severe outcomes a vulnerability can produce. CISA's SSVC assessment rates the technical impact as "total" and marks the flaw as "automatable," indicating exploitation can be reliably scripted at scale. The same SSVC data currently lists exploitation status as "none," and this CVE is not present in the supplied CISA KEV data; there is no confirmation of active exploitation in the wild at this time.
What's Vulnerable
- Product: IBM Langflow OSS
- Affected versions: 1.0.0 through 1.10.0 (inclusive)
- Vendor: IBM
Any deployment running a version in this range is potentially exposed.
Patch Status
The supplied source material does not include a CISA KEV entry, so no federal required-action deadline applies. IBM has published a support advisory (node 7278445) for this CVE; administrators should consult that advisory for remediation guidance and upgrade instructions. Given the 9.8 severity and unauthenticated network attack path, upgrading affected installations should be treated as urgent.