CVE-2026-6543: Langflow RCE exposes API keys and DB

CISO Take

IBM Langflow Desktop versions 1.0.0 through 1.8.4 contains a code injection flaw (CWE-94) that lets any network-authenticated user execute arbitrary OS commands with full Langflow process privileges. Langflow deployments routinely store LLM API keys, database connection strings, and cloud credentials as environment variables — all readable in a single exploit — making the blast radius significantly wider than the host itself. Although not yet in CISA KEV, the EPSS 87th-percentile ranking places this well above average exploitation likelihood across the CVE universe, and the SSVC TRACK decision confirms active monitoring is warranted now rather than deferred. Immediately restrict Langflow network access to trusted networks only, apply IBM's patch per advisory node/7271092, and rotate all API keys and database credentials accessible to the process.

Sources: NVD EPSS ATLAS IBM Security Advisory (ibm.com)

What is the risk?

CVSS 8.8 with a network-accessible, low-complexity attack vector requiring only low privileges makes this a realistic threat for any organization running Langflow in a shared or partially trusted network segment. All three impact dimensions (C/I/A) are rated HIGH, meaning a single exploit delivers full operational compromise of the AI pipeline. The elevated EPSS percentile (87th) despite a low absolute score signals disproportionate exploitation interest relative to the broader CVE corpus. AI environments hosting Langflow typically authenticate to multiple downstream services — LLM APIs, vector databases, cloud buckets — amplifying blast radius far beyond the local host.

How does the attack unfold?

Initial Access

Attacker authenticates to the Langflow API with low-privilege credentials obtained via credential stuffing, phishing, or a leaked trial account, establishing a network foothold.

AML.T0049

Code Execution

A crafted workflow definition or API payload exploits the CWE-94 code injection flaw in Langflow's execution engine, running arbitrary OS commands with full process privileges.

AML.T0050

Credential Harvesting

Attacker reads all process environment variables, extracting LLM API keys, database connection strings, and cloud provider tokens stored by the Langflow deployment.

AML.T0055

Lateral Movement & Impact

Harvested credentials enable access to connected LLM APIs, vector databases, and internal network services, enabling data exfiltration, AI pipeline poisoning, or further infrastructure compromise.

AML.T0025

Initial Access

Attacker authenticates to the Langflow API with low-privilege credentials obtained via credential stuffing, phishing, or a leaked trial account, establishing a network foothold.

AML.T0049

Code Execution

A crafted workflow definition or API payload exploits the CWE-94 code injection flaw in Langflow's execution engine, running arbitrary OS commands with full process privileges.

AML.T0050

Credential Harvesting

Attacker reads all process environment variables, extracting LLM API keys, database connection strings, and cloud provider tokens stored by the Langflow deployment.

AML.T0055

Lateral Movement & Impact

Harvested credentials enable access to connected LLM APIs, vector databases, and internal network services, enabling data exfiltration, AI pipeline poisoning, or further infrastructure compromise.

AML.T0025

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Langflow	pip	—	No patch
149.9K Pushed 3d ago 40% patched ~67d to patch Full package profile →

Do you use Langflow? You're affected.

How severe is it?

CVSS 3.1

8.8 / 10

EPSS

0.5%

chance of exploitation in 30 days

Higher than 37% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

What should I do?

5 steps

Patch: Apply IBM's fix immediately per https://www.ibm.com/support/pages/node/7271092 and upgrade beyond version 1.8.4.
Network isolation: Block public internet exposure to the Langflow API; restrict access to trusted internal networks or VPN only.
Credential rotation: Rotate all LLM API keys, database passwords, and cloud credentials stored in environment variables accessible to the Langflow process.
Least privilege: Run Langflow under a dedicated low-privilege service account scoped to only the secrets it operationally requires.
Detection: Alert on unusual child process spawning from the Langflow parent process, unexpected outbound connections to new external endpoints, and bulk reads of /proc/*/environ or equivalent environment variable access patterns.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Data Extraction Supply Chain Framework Agent AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity Article 9 - Risk Management System

ISO 42001

A.6.2 - AI Risk Management A.9.4 - AI System Security

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place and applied to respond to and recover from residual AI risks

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-6543?

IBM Langflow Desktop versions 1.0.0 through 1.8.4 contains a code injection flaw (CWE-94) that lets any network-authenticated user execute arbitrary OS commands with full Langflow process privileges. Langflow deployments routinely store LLM API keys, database connection strings, and cloud credentials as environment variables — all readable in a single exploit — making the blast radius significantly wider than the host itself. Although not yet in CISA KEV, the EPSS 87th-percentile ranking places this well above average exploitation likelihood across the CVE universe, and the SSVC TRACK decision confirms active monitoring is warranted now rather than deferred. Immediately restrict Langflow network access to trusted networks only, apply IBM's patch per advisory node/7271092, and rotate all API keys and database credentials accessible to the process.

Is CVE-2026-6543 actively exploited?

No confirmed active exploitation of CVE-2026-6543 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-6543?

1. Patch: Apply IBM's fix immediately per https://www.ibm.com/support/pages/node/7271092 and upgrade beyond version 1.8.4. 2. Network isolation: Block public internet exposure to the Langflow API; restrict access to trusted internal networks or VPN only. 3. Credential rotation: Rotate all LLM API keys, database passwords, and cloud credentials stored in environment variables accessible to the Langflow process. 4. Least privilege: Run Langflow under a dedicated low-privilege service account scoped to only the secrets it operationally requires. 5. Detection: Alert on unusual child process spawning from the Langflow parent process, unexpected outbound connections to new external endpoints, and bulk reads of /proc/*/environ or equivalent environment variable access patterns.

What systems are affected by CVE-2026-6543?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM workflow orchestration, RAG pipelines, AI development platforms, model serving.

What is the CVSS score for CVE-2026-6543?

CVE-2026-6543 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.47%.

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM workflow orchestrationRAG pipelinesAI development platformsmodel serving

MITRE ATLAS Techniques

AML.T0037 Data from Local System

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0055 Unsecured Credentials

AML.T0083 Credentials from AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 15, Article 9

ISO 42001: A.6.2, A.9.4

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM05, LLM06

What are the technical details?

Original Advisory

IBM Langflow Desktop 1.0.0 through 1.8.4 Langflow allows an attacker to execute arbitrary commands with the privileges of the process running Langflow. This allows reading sensitive environment variables (API keys, DB credentials), modifying files, or launching further attacks on the internal network.

Exploitation Scenario

An attacker with a valid Langflow account — obtained via credential stuffing, a leaked trial registration, or phishing — sends a crafted workflow definition or API payload that exploits the CWE-94 code injection flaw in Langflow's workflow execution engine. The injected commands enumerate and exfiltrate all process environment variables, harvesting API keys for OpenAI, Anthropic, and other configured LLM providers, along with database connection strings and cloud provider tokens. The attacker then uses those credentials to access connected vector databases (extracting RAG knowledge bases), cloud storage buckets (downloading proprietary model weights or training data), and internal LLM APIs — either exfiltrating intellectual property or injecting poisoned data into downstream pipelines for persistent compromise.

Weaknesses (CWE)

CWE-94 Improper Control of Generation of Code ('Code Injection') Primary

CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

[Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
[Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.