CVE-2026-3357: Langflow: deserialization RCE via FAISS component default

HIGH

Published April 8, 2026

CISO Take

IBM Langflow Desktop 1.6.0–1.8.2 allows any authenticated user to execute arbitrary code by exploiting insecure deserialization in the FAISS vector search component, enabled by an insecure default configuration (CVSS 8.8, CWE-502). The attack is trivially reachable over the network with low privileges and requires no user interaction, meaning any internal user or compromised service account can achieve full system compromise across confidentiality, integrity, and availability. While not yet in CISA KEV and no public exploit scanner exists, the low attack complexity combined with broad enterprise deployment of Langflow in AI pipelines — where hosts commonly hold API keys, model weights, and vector database credentials — makes this a priority patch. Upgrade immediately beyond version 1.8.2 per the IBM advisory and sandbox or disable FAISS index deserialization from untrusted sources as an interim control.

Sources: NVD ATLAS ibm.com

Risk Assessment

High risk. CVSS 8.8 with network-accessible attack vector, low complexity, and low privilege requirements creates an attractive post-authentication escalation path requiring minimal tradecraft. The insecure default configuration means vulnerable deployments require no additional misconfiguration beyond a standard install. Langflow is widely deployed as an AI workflow orchestration platform in enterprise environments, frequently with privileged access to AI pipeline components, sensitive data, and adjacent infrastructure. Without EPSS data or confirmed active exploitation, urgency is driven by the combination of ease of exploitation and architectural centrality — Langflow hosts are high-value targets once breached.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
faiss-cpu	pip	—	No patch
39.6K OpenSSF 5.8 1.0K dependents Pushed 3d ago 0% patched Full package profile →
langflow	pip	—	No patch
146.6K Pushed 3d ago 19% patched ~63d to patch Full package profile →

Severity & Risk

CVSS 3.1

8.8 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Recommended Action

Upgrade IBM Langflow Desktop immediately to a version beyond 1.8.2 per IBM advisory at https://www.ibm.com/support/pages/node/7268428.
If patching is not immediately feasible, restrict Langflow access to the minimum required user set and enforce network-level controls (firewall rules, VPN, IP allowlisting) to reduce attack surface.
Audit FAISS index loading configurations and block deserialization of any FAISS index files sourced from untrusted or user-supplied paths as an interim workaround.
Review Langflow host logs for anomalous process spawning, unexpected outbound connections, or unusual file access patterns that may indicate prior exploitation.
Rotate any API keys, credentials, or secrets accessible from Langflow host environment variables or configuration files as a precautionary measure.

Classification

Code Execution Supply Chain Framework RAG AML.T0010.001 - AI Software AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0072 - Reverse Shell

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - AI system operational and performance requirements

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Technical Details

NVD Description

IBM Langflow Desktop 1.6.0 through 1.8.2 Langflow could allow an authenticated user to execute arbitrary code on the system, caused by an insecure default setting which permits the deserialization of untrusted data in the FAISS component.

Exploitation Scenario

An authenticated adversary with a low-privileged Langflow account — a contractor, compromised employee credential, or misconfigured service account — references or uploads a maliciously crafted FAISS index file containing a serialized Python payload (e.g., a pickle-based reverse shell). When Langflow loads the index under its insecure default deserialization settings, the payload executes with the privileges of the Langflow process. The attacker gains OS-level code execution, immediately pivots to harvest LLM API keys and vector database credentials from environment variables and configuration files, exfiltrates proprietary embeddings and knowledge base contents, and establishes persistence via a reverse shell or implanted scheduled task. In CI/CD-connected pipelines, this foothold can propagate to model registries or training infrastructure.