CVE-2026-3357: Langflow: deserialization RCE via FAISS component default

HIGH
Published April 8, 2026
CISO Take

IBM Langflow Desktop 1.6.0–1.8.2 allows any authenticated user to execute arbitrary code by exploiting insecure deserialization in the FAISS vector search component, enabled by an insecure default configuration (CVSS 8.8, CWE-502). The attack is trivially reachable over the network with low privileges and requires no user interaction, meaning any internal user or compromised service account can achieve full system compromise across confidentiality, integrity, and availability. While not yet in CISA KEV and no public exploit scanner exists, the low attack complexity combined with broad enterprise deployment of Langflow in AI pipelines — where hosts commonly hold API keys, model weights, and vector database credentials — makes this a priority patch. Upgrade immediately beyond version 1.8.2 per the IBM advisory and sandbox or disable FAISS index deserialization from untrusted sources as an interim control.

Sources: NVD ATLAS ibm.com

What is the risk?

High risk. CVSS 8.8 with network-accessible attack vector, low complexity, and low privilege requirements creates an attractive post-authentication escalation path requiring minimal tradecraft. The insecure default configuration means vulnerable deployments require no additional misconfiguration beyond a standard install. Langflow is widely deployed as an AI workflow orchestration platform in enterprise environments, frequently with privileged access to AI pipeline components, sensitive data, and adjacent infrastructure. Without EPSS data or confirmed active exploitation, urgency is driven by the combination of ease of exploitation and architectural centrality — Langflow hosts are high-value targets once breached.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
FAISS pip No patch
40.5K OpenSSF 6.2 1.3K dependents Pushed 7d ago 0% patched Full package profile →
Langflow pip No patch
151.1K Pushed 4d ago 35% patched ~67d to patch Full package profile →

How severe is it?

CVSS 3.1
8.8 / 10
EPSS
0.5%
chance of exploitation in 30 days
Higher than 37% of all CVEs
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

What should I do?

5 steps
  1. Upgrade IBM Langflow Desktop immediately to a version beyond 1.8.2 per IBM advisory at https://www.ibm.com/support/pages/node/7268428.

  2. If patching is not immediately feasible, restrict Langflow access to the minimum required user set and enforce network-level controls (firewall rules, VPN, IP allowlisting) to reduce attack surface.

  3. Audit FAISS index loading configurations and block deserialization of any FAISS index files sourced from untrusted or user-supplied paths as an interim workaround.

  4. Review Langflow host logs for anomalous process spawning, unexpected outbound connections, or unusual file access patterns that may indicate prior exploitation.

  5. Rotate any API keys, credentials, or secrets accessible from Langflow host environment variables or configuration files as a precautionary measure.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2 - AI system operational and performance requirements
NIST AI RMF
MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems
OWASP LLM Top 10
LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-3357?

IBM Langflow Desktop 1.6.0–1.8.2 allows any authenticated user to execute arbitrary code by exploiting insecure deserialization in the FAISS vector search component, enabled by an insecure default configuration (CVSS 8.8, CWE-502). The attack is trivially reachable over the network with low privileges and requires no user interaction, meaning any internal user or compromised service account can achieve full system compromise across confidentiality, integrity, and availability. While not yet in CISA KEV and no public exploit scanner exists, the low attack complexity combined with broad enterprise deployment of Langflow in AI pipelines — where hosts commonly hold API keys, model weights, and vector database credentials — makes this a priority patch. Upgrade immediately beyond version 1.8.2 per the IBM advisory and sandbox or disable FAISS index deserialization from untrusted sources as an interim control.

Is CVE-2026-3357 actively exploited?

No confirmed active exploitation of CVE-2026-3357 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-3357?

1. Upgrade IBM Langflow Desktop immediately to a version beyond 1.8.2 per IBM advisory at https://www.ibm.com/support/pages/node/7268428. 2. If patching is not immediately feasible, restrict Langflow access to the minimum required user set and enforce network-level controls (firewall rules, VPN, IP allowlisting) to reduce attack surface. 3. Audit FAISS index loading configurations and block deserialization of any FAISS index files sourced from untrusted or user-supplied paths as an interim workaround. 4. Review Langflow host logs for anomalous process spawning, unexpected outbound connections, or unusual file access patterns that may indicate prior exploitation. 5. Rotate any API keys, credentials, or secrets accessible from Langflow host environment variables or configuration files as a precautionary measure.

What systems are affected by CVE-2026-3357?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, RAG pipelines, vector databases, model serving.

What is the CVSS score for CVE-2026-3357?

CVE-2026-3357 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.47%.

What is the AI security impact?

Affected AI Architectures

agent frameworksRAG pipelinesvector databasesmodel serving

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter
AML.T0072 Reverse Shell

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM05

What are the technical details?

Original Advisory

IBM Langflow Desktop 1.6.0 through 1.8.2 Langflow could allow an authenticated user to execute arbitrary code on the system, caused by an insecure default setting which permits the deserialization of untrusted data in the FAISS component.

Exploitation Scenario

An authenticated adversary with a low-privileged Langflow account — a contractor, compromised employee credential, or misconfigured service account — references or uploads a maliciously crafted FAISS index file containing a serialized Python payload (e.g., a pickle-based reverse shell). When Langflow loads the index under its insecure default deserialization settings, the payload executes with the privileges of the Langflow process. The attacker gains OS-level code execution, immediately pivots to harvest LLM API keys and vector database credentials from environment variables and configuration files, exfiltrates proprietary embeddings and knowledge base contents, and establishes persistence via a reverse shell or implanted scheduled task. In CI/CD-connected pipelines, this foothold can propagate to model registries or training infrastructure.

Weaknesses (CWE)

CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

  • [Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
  • [Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

Published
April 8, 2026
Last Modified
April 14, 2026
First Seen
April 8, 2026

Related Vulnerabilities