AI Threat Alert

CVE-2026-3357: Langflow: deserialization RCE via FAISS component default

HIGH
Published April 8, 2026
CISO Take

IBM Langflow Desktop 1.6.0–1.8.2 allows any authenticated user to execute arbitrary code by exploiting insecure deserialization in the FAISS vector search component, enabled by an insecure default configuration (CVSS 8.8, CWE-502). The attack is trivially reachable over the network with low privileges and requires no user interaction, meaning any internal user or compromised service account can achieve full system compromise across confidentiality, integrity, and availability. While not yet in CISA KEV and no public exploit scanner exists, the low attack complexity combined with broad enterprise deployment of Langflow in AI pipelines — where hosts commonly hold API keys, model weights, and vector database credentials — makes this a priority patch. Upgrade immediately beyond version 1.8.2 per the IBM advisory and sandbox or disable FAISS index deserialization from untrusted sources as an interim control.

Sources: NVD ATLAS ibm.com

What is the risk?

High risk. CVSS 8.8 with network-accessible attack vector, low complexity, and low privilege requirements creates an attractive post-authentication escalation path requiring minimal tradecraft. The insecure default configuration means vulnerable deployments require no additional misconfiguration beyond a standard install. Langflow is widely deployed as an AI workflow orchestration platform in enterprise environments, frequently with privileged access to AI pipeline components, sensitive data, and adjacent infrastructure. Without EPSS data or confirmed active exploitation, urgency is driven by the combination of ease of exploitation and architectural centrality — Langflow hosts are high-value targets once breached.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
faiss-cpu pip No patch
40.1K OpenSSF 6.1 1.2K dependents Pushed 7d ago 0% patched Full package profile →
langflow pip No patch
148.3K Pushed 6d ago 31% patched ~53d to patch Full package profile →

Severity & Risk

CVSS 3.1
8.8 / 10
EPSS
0.6%
chance of exploitation in 30 days
Higher than 71% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

What should I do?

5 steps

  1. Upgrade IBM Langflow Desktop immediately to a version beyond 1.8.2 per IBM advisory at https://www.ibm.com/support/pages/node/7268428.

  2. If patching is not immediately feasible, restrict Langflow access to the minimum required user set and enforce network-level controls (firewall rules, VPN, IP allowlisting) to reduce attack surface.

  3. Audit FAISS index loading configurations and block deserialization of any FAISS index files sourced from untrusted or user-supplied paths as an interim workaround.

  4. Review Langflow host logs for anomalous process spawning, unexpected outbound connections, or unusual file access patterns that may indicate prior exploitation.

  5. Rotate any API keys, credentials, or secrets accessible from Langflow host environment variables or configuration files as a precautionary measure.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Framework RAG AML.T0010.001 AML.T0049 AML.T0050 AML.T0072

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2 - AI system operational and performance requirements
NIST AI RMF
MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems
OWASP LLM Top 10
LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-3357?

IBM Langflow Desktop 1.6.0–1.8.2 allows any authenticated user to execute arbitrary code by exploiting insecure deserialization in the FAISS vector search component, enabled by an insecure default configuration (CVSS 8.8, CWE-502). The attack is trivially reachable over the network with low privileges and requires no user interaction, meaning any internal user or compromised service account can achieve full system compromise across confidentiality, integrity, and availability. While not yet in CISA KEV and no public exploit scanner exists, the low attack complexity combined with broad enterprise deployment of Langflow in AI pipelines — where hosts commonly hold API keys, model weights, and vector database credentials — makes this a priority patch. Upgrade immediately beyond version 1.8.2 per the IBM advisory and sandbox or disable FAISS index deserialization from untrusted sources as an interim control.

Is CVE-2026-3357 actively exploited?

No confirmed active exploitation of CVE-2026-3357 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-3357?

1. Upgrade IBM Langflow Desktop immediately to a version beyond 1.8.2 per IBM advisory at https://www.ibm.com/support/pages/node/7268428. 2. If patching is not immediately feasible, restrict Langflow access to the minimum required user set and enforce network-level controls (firewall rules, VPN, IP allowlisting) to reduce attack surface. 3. Audit FAISS index loading configurations and block deserialization of any FAISS index files sourced from untrusted or user-supplied paths as an interim workaround. 4. Review Langflow host logs for anomalous process spawning, unexpected outbound connections, or unusual file access patterns that may indicate prior exploitation. 5. Rotate any API keys, credentials, or secrets accessible from Langflow host environment variables or configuration files as a precautionary measure.

What systems are affected by CVE-2026-3357?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, RAG pipelines, vector databases, model serving.

What is the CVSS score for CVE-2026-3357?

CVE-2026-3357 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.63%.

Technical Details

NVD Description

IBM Langflow Desktop 1.6.0 through 1.8.2 Langflow could allow an authenticated user to execute arbitrary code on the system, caused by an insecure default setting which permits the deserialization of untrusted data in the FAISS component.

Exploitation Scenario

An authenticated adversary with a low-privileged Langflow account — a contractor, compromised employee credential, or misconfigured service account — references or uploads a maliciously crafted FAISS index file containing a serialized Python payload (e.g., a pickle-based reverse shell). When Langflow loads the index under its insecure default deserialization settings, the payload executes with the privileges of the Langflow process. The attacker gains OS-level code execution, immediately pivots to harvest LLM API keys and vector database credentials from environment variables and configuration files, exfiltrates proprietary embeddings and knowledge base contents, and establishes persistence via a reverse shell or implanted scheduled task. In CI/CD-connected pipelines, this foothold can propagate to model registries or training infrastructure.

Weaknesses (CWE)

CWE-502 Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
April 8, 2026
Last Modified
April 14, 2026
First Seen
April 8, 2026

Related Vulnerabilities

CRITICAL CVE-2026-33309 9.9

langflow: Path Traversal enables file access

Same package: langflow
CRITICAL CVE-2024-37014 9.8

Langflow: unauthenticated RCE via custom component API

Same package: langflow
CRITICAL CVE-2026-27966 9.8

langflow: Code Injection enables RCE

Same package: langflow
CRITICAL CVE-2026-33017 9.8

langflow: Code Injection enables RCE

Same package: langflow
CRITICAL CVE-2024-42835 9.8

Langflow: Unauthenticated RCE via PythonCodeTool

Same package: langflow
Back to Threat Feed