A critical (CVSS 9.9) vulnerability in IBM Langflow OSS lets authenticated attackers run arbitrary OS commands and read sensitive files, enabling full system compromise and lateral movement.
What Is It
CVE-2026-7873 is a code injection flaw (CWE-94) in IBM Langflow OSS, an open-source framework for building AI workflows. According to IBM's PSIRT advisory, authenticated attackers can execute arbitrary operating system commands and read sensitive files, including credentials. The issue carries a CVSS 3.1 base score of 9.9 (CRITICAL), with the vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, network-reachable, low attack complexity, only low privileges required, no user interaction, and a changed scope with high confidentiality, integrity, and availability impact.
Why It Matters
The combination of remote network access, low privilege requirements, and no user interaction makes this vulnerability highly exploitable. Successful exploitation grants arbitrary command execution and credential theft, which the advisory notes enables "complete system compromise and lateral movement." The changed scope (S:C) indicates that impact can extend beyond the vulnerable component to other parts of the environment. Any low-privileged account is sufficient to fully compromise an affected host.
What's Vulnerable
IBM Langflow OSS versions 1.0.0 through 1.10.0 are affected, per the NVD record and IBM advisory. The vulnerability requires the attacker to be authenticated.
Patch Status
The CVE was published on 2026-06-30 with a vulnerability status of "Received" in NVD. IBM has issued a support advisory (node 7278441) addressing the issue; administrators should consult that advisory for remediation and upgrade guidance. This CVE does not currently appear in the CISA Known Exploited Vulnerabilities (KEV) catalog based on the supplied data, so there is no confirmation of active exploitation at this time.
Sources
- IBM Support Advisory; https://www.ibm.com/support/pages/node/7278441
- NVD, CVE-2026-7873, https://nvd.nist.gov/vuln/detail/CVE-2026-7873