CVE-2026-3357: Langflow: deserialization RCE via FAISS component default
HIGHIBM Langflow Desktop 1.6.0–1.8.2 allows any authenticated user to execute arbitrary code by exploiting insecure deserialization in the FAISS vector search component, enabled by an insecure default configuration (CVSS 8.8, CWE-502). The attack is trivially reachable over the network with low privileges and requires no user interaction, meaning any internal user or compromised service account can achieve full system compromise across confidentiality, integrity, and availability. While not yet in CISA KEV and no public exploit scanner exists, the low attack complexity combined with broad enterprise deployment of Langflow in AI pipelines — where hosts commonly hold API keys, model weights, and vector database credentials — makes this a priority patch. Upgrade immediately beyond version 1.8.2 per the IBM advisory and sandbox or disable FAISS index deserialization from untrusted sources as an interim control.
What is the risk?
High risk. CVSS 8.8 with network-accessible attack vector, low complexity, and low privilege requirements creates an attractive post-authentication escalation path requiring minimal tradecraft. The insecure default configuration means vulnerable deployments require no additional misconfiguration beyond a standard install. Langflow is widely deployed as an AI workflow orchestration platform in enterprise environments, frequently with privileged access to AI pipeline components, sensitive data, and adjacent infrastructure. Without EPSS data or confirmed active exploitation, urgency is driven by the combination of ease of exploitation and architectural centrality — Langflow hosts are high-value targets once breached.
What systems are affected?
How severe is it?
What is the attack surface?
What should I do?
5 steps-
Upgrade IBM Langflow Desktop immediately to a version beyond 1.8.2 per IBM advisory at https://www.ibm.com/support/pages/node/7268428.
-
If patching is not immediately feasible, restrict Langflow access to the minimum required user set and enforce network-level controls (firewall rules, VPN, IP allowlisting) to reduce attack surface.
-
Audit FAISS index loading configurations and block deserialization of any FAISS index files sourced from untrusted or user-supplied paths as an interim workaround.
-
Review Langflow host logs for anomalous process spawning, unexpected outbound connections, or unusual file access patterns that may indicate prior exploitation.
-
Rotate any API keys, credentials, or secrets accessible from Langflow host environment variables or configuration files as a precautionary measure.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-3357?
IBM Langflow Desktop 1.6.0–1.8.2 allows any authenticated user to execute arbitrary code by exploiting insecure deserialization in the FAISS vector search component, enabled by an insecure default configuration (CVSS 8.8, CWE-502). The attack is trivially reachable over the network with low privileges and requires no user interaction, meaning any internal user or compromised service account can achieve full system compromise across confidentiality, integrity, and availability. While not yet in CISA KEV and no public exploit scanner exists, the low attack complexity combined with broad enterprise deployment of Langflow in AI pipelines — where hosts commonly hold API keys, model weights, and vector database credentials — makes this a priority patch. Upgrade immediately beyond version 1.8.2 per the IBM advisory and sandbox or disable FAISS index deserialization from untrusted sources as an interim control.
Is CVE-2026-3357 actively exploited?
No confirmed active exploitation of CVE-2026-3357 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-3357?
1. Upgrade IBM Langflow Desktop immediately to a version beyond 1.8.2 per IBM advisory at https://www.ibm.com/support/pages/node/7268428. 2. If patching is not immediately feasible, restrict Langflow access to the minimum required user set and enforce network-level controls (firewall rules, VPN, IP allowlisting) to reduce attack surface. 3. Audit FAISS index loading configurations and block deserialization of any FAISS index files sourced from untrusted or user-supplied paths as an interim workaround. 4. Review Langflow host logs for anomalous process spawning, unexpected outbound connections, or unusual file access patterns that may indicate prior exploitation. 5. Rotate any API keys, credentials, or secrets accessible from Langflow host environment variables or configuration files as a precautionary measure.
What systems are affected by CVE-2026-3357?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, RAG pipelines, vector databases, model serving.
What is the CVSS score for CVE-2026-3357?
CVE-2026-3357 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.47%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0049 Exploit Public-Facing Application AML.T0050 Command and Scripting Interpreter AML.T0072 Reverse Shell Compliance Controls Affected
What are the technical details?
Original Advisory
IBM Langflow Desktop 1.6.0 through 1.8.2 Langflow could allow an authenticated user to execute arbitrary code on the system, caused by an insecure default setting which permits the deserialization of untrusted data in the FAISS component.
Exploitation Scenario
An authenticated adversary with a low-privileged Langflow account — a contractor, compromised employee credential, or misconfigured service account — references or uploads a maliciously crafted FAISS index file containing a serialized Python payload (e.g., a pickle-based reverse shell). When Langflow loads the index under its insecure default deserialization settings, the payload executes with the privileges of the Langflow process. The attacker gains OS-level code execution, immediately pivots to harvest LLM API keys and vector database credentials from environment variables and configuration files, exfiltrates proprietary embeddings and knowledge base contents, and establishes persistence via a reverse shell or implanted scheduled task. In CI/CD-connected pipelines, this foothold can propagate to model registries or training infrastructure.
Weaknesses (CWE)
CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
- [Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
- [Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References
Timeline
Related Vulnerabilities
CVE-2026-10561 10.0 Langflow: auth bypass + unauthenticated RCE (CVSS 10)
Same package: langflow CVE-2026-10134 10.0 Langflow: unauthenticated RCE via tool_code injection
Same package: langflow CVE-2026-33309 9.9 langflow: Path Traversal enables file access
Same package: langflow CVE-2026-55255 9.9 Langflow: IDOR allows cross-user flow execution
Same package: langflow CVE-2026-7873 9.9 Langflow: authenticated RCE enables credential theft
Same package: langflow