SYS::ONLINE
Wasteland.
Briefs1061
Issues17
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-7874 2026-06-30

IBM Langflow OSS Exposes All Stored Credentials via Weak Encryption Key Derivation (CVE-2026-7874)

"A critical flaw in IBM Langflow OSS lets an unauthenticated network attacker recover every stored credential because encryption at rest relies on a weak, reversible key derivation mechanism."

A critical flaw in IBM Langflow OSS lets an unauthenticated network attacker recover every stored credential because encryption at rest relies on a weak, reversible key derivation mechanism.

What Is It

CVE-2026-7874 is a critical (CVSS 3.1 base score 9.1) vulnerability in IBM Langflow OSS. According to IBM's advisory, the product uses a weak and reversible key derivation mechanism to protect stored data. Because the encryption key can be derived and reversed, an attacker can decrypt and disclose all stored credentials. The issue is classified as CWE-338 (use of a cryptographically weak pseudo-random number generator). The CVSS vector, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, indicates the attack is remotely exploitable over the network, low complexity, and requires no privileges or user interaction, with high impact to both confidentiality and integrity.

Why It Matters

Langflow stores credentials that connect it to other systems and services. Because the encryption protecting those secrets can be reversed, a successful attacker gains access to every stored credential, enabling further compromise of connected systems. CISA's SSVC assessment rates the technical impact as "total" and marks the flaw as "automatable," meaning exploitation can be scripted at scale. The same SSVC data records exploitation status as "none," and there is no CISA KEV entry, so there is no confirmation of active exploitation at this time.

What's Vulnerable

IBM Langflow OSS versions 1.0.0 through 1.10.0 (inclusive) are affected, per the NVD record and the listed CPEs (cpe:2.3:a:ibm:langflow_oss).

Patch Status

IBM has published a support advisory (node 7278447) addressing this vulnerability. Organizations running affected Langflow OSS versions should consult IBM's advisory for remediation and upgrade guidance. No specific fixed version is stated in the supplied source material.

Sources