A critical flaw in IBM Langflow OSS lets an unauthenticated network attacker recover every stored credential because encryption at rest relies on a weak, reversible key derivation mechanism.
What Is It
CVE-2026-7874 is a critical (CVSS 3.1 base score 9.1) vulnerability in IBM Langflow OSS. According to IBM's advisory, the product uses a weak and reversible key derivation mechanism to protect stored data. Because the encryption key can be derived and reversed, an attacker can decrypt and disclose all stored credentials. The issue is classified as CWE-338 (use of a cryptographically weak pseudo-random number generator). The CVSS vector, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, indicates the attack is remotely exploitable over the network, low complexity, and requires no privileges or user interaction, with high impact to both confidentiality and integrity.
Why It Matters
Langflow stores credentials that connect it to other systems and services. Because the encryption protecting those secrets can be reversed, a successful attacker gains access to every stored credential, enabling further compromise of connected systems. CISA's SSVC assessment rates the technical impact as "total" and marks the flaw as "automatable," meaning exploitation can be scripted at scale. The same SSVC data records exploitation status as "none," and there is no CISA KEV entry, so there is no confirmation of active exploitation at this time.
What's Vulnerable
IBM Langflow OSS versions 1.0.0 through 1.10.0 (inclusive) are affected, per the NVD record and the listed CPEs (cpe:2.3:a:ibm:langflow_oss).
Patch Status
IBM has published a support advisory (node 7278447) addressing this vulnerability. Organizations running affected Langflow OSS versions should consult IBM's advisory for remediation and upgrade guidance. No specific fixed version is stated in the supplied source material.
Sources
- IBM Support advisory; https://www.ibm.com/support/pages/node/7278447
- NVD entry for CVE-2026-7874 (source: [email protected])