A critical (CVSS 9.8) vulnerability in IBM Langflow OSS allows anyone with Redis access to run arbitrary code with full application privileges, exposing all secrets and data.
What Is It
CVE-2026-7871 is a critical vulnerability affecting IBM Langflow OSS. According to IBM's advisory, versions 1.0.0 through 1.10.0 allow users with Redis access to execute arbitrary code with full application privileges, compromising all secrets, data, and system integrity. The flaw is classified as CWE-502 (Deserialization of Untrusted Data), the common root cause of code execution when an application reconstructs objects from attacker-controlled input.
The vulnerability carries a CVSS 3.1 base score of 9.8 (CRITICAL) with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, network-reachable, low attack complexity, no privileges or user interaction required, and high impact to confidentiality, integrity, and availability.
Why It Matters
A score of 9.8 with no required privileges or user interaction places this among the most severe classes of vulnerability. Successful exploitation yields arbitrary code execution at full application privilege, meaning an attacker can compromise every secret, data store, and the integrity of the affected system. Because Langflow is used to build and run LLM workflows, a compromise can cascade to connected credentials and downstream services.
Note: The supplied CISA KEV entry is empty, so there is no confirmation of active exploitation in the provided source material.
What's Vulnerable
- Vendor: IBM
- Product: Langflow OSS
- Affected versions: 1.0.0 through 1.10.0 (semver,
lessThanOrEqual1.10.0)
Exposure hinges on Redis access, so environments where Redis is reachable by untrusted users are at greatest risk.
Patch Status
IBM's PSIRT published this record on 2026-06-30 (vulnStatus: Received). Refer to IBM's official support advisory for remediation guidance and fixed-version details. No specific fixed version or required-action deadline is included in the supplied source data.
Sources
- IBM Support advisory; https://www.ibm.com/support/pages/node/7278443
- NVD, CVE-2026-7871; https://nvd.nist.gov/vuln/detail/CVE-2026-7871