SYS::ONLINE
Wasteland.
Briefs1061
Issues17
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-7871 2026-06-30

CVE-2026-7871: Critical Deserialization Flaw Enables Remote Code Execution in IBM Langflow OSS

"A critical (CVSS 9.8) vulnerability in IBM Langflow OSS allows anyone with Redis access to run arbitrary code with full application privileges, exposing all secrets and data."

A critical (CVSS 9.8) vulnerability in IBM Langflow OSS allows anyone with Redis access to run arbitrary code with full application privileges, exposing all secrets and data.

What Is It

CVE-2026-7871 is a critical vulnerability affecting IBM Langflow OSS. According to IBM's advisory, versions 1.0.0 through 1.10.0 allow users with Redis access to execute arbitrary code with full application privileges, compromising all secrets, data, and system integrity. The flaw is classified as CWE-502 (Deserialization of Untrusted Data), the common root cause of code execution when an application reconstructs objects from attacker-controlled input.

The vulnerability carries a CVSS 3.1 base score of 9.8 (CRITICAL) with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, network-reachable, low attack complexity, no privileges or user interaction required, and high impact to confidentiality, integrity, and availability.

Why It Matters

A score of 9.8 with no required privileges or user interaction places this among the most severe classes of vulnerability. Successful exploitation yields arbitrary code execution at full application privilege, meaning an attacker can compromise every secret, data store, and the integrity of the affected system. Because Langflow is used to build and run LLM workflows, a compromise can cascade to connected credentials and downstream services.

Note: The supplied CISA KEV entry is empty, so there is no confirmation of active exploitation in the provided source material.

What's Vulnerable

Exposure hinges on Redis access, so environments where Redis is reachable by untrusted users are at greatest risk.

Patch Status

IBM's PSIRT published this record on 2026-06-30 (vulnStatus: Received). Refer to IBM's official support advisory for remediation guidance and fixed-version details. No specific fixed version or required-action deadline is included in the supplied source data.

Sources