Remote Code Execution Vulnerability in IBM Langflow OSS
CVE-2026-7524

9.8CRITICAL

Key Information:

Vendor: IBM
Status: Langflow Oss
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-7524?

IBM Langflow OSS versions 1.0.0 through 1.9.1 are susceptible to remote code execution due to inadequate validation of symbolic links during the extraction of archived files. This security flaw can potentially allow attackers to execute arbitrary code on the system, compromising its integrity and confidentiality. Users are advised to apply the latest patches to mitigate this risk and ensure the security of their systems.

Affected Version(s)

Langflow OSS 1.0.0 <= 1.9.1

References

https://www.ibm.com/support/pages/node/7273426

vendor-advisorypatch

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
Apr 30, 2026

Credit

This vulnerability was reported to IBM by Ori Lahav (Rubrik Inc.) orilahav@tauex.tau.ac.il.

CVE-2026-7524 Data

JSON