Langflow: RCE via symlink traversal in archive extraction — CRITICAL (CVE-2026-7524)

CISO Take

IBM Langflow OSS versions 1.0.0 through 1.9.1 contain a critical path traversal vulnerability (CWE-22) in archive extraction that allows an unauthenticated remote attacker to achieve full remote code execution with a single network request. With a CVSS score of 9.8 and no authentication, privileges, or user interaction required, this is the worst possible exploitability profile — any internet-exposed Langflow instance is a direct path to host compromise, including all LLM API keys, vector database credentials, and pipeline data stored on that host. While no public exploit currently exists and CISA has not added this to KEV, symlink traversal in archive extraction is a well-understood attack class and weaponized PoCs typically emerge within days of patch publication. Upgrade immediately to the patched version listed in the IBM advisory, or firewall all public access to Langflow ports until patching is complete.

Sources: NVD IBM Advisory (ibm.com) ATLAS

What is the risk?

Severity is CRITICAL with no practical mitigating factors. The CVSS 9.8 reflects maximum network exploitability: unauthenticated, low-complexity, network-accessible RCE with full confidentiality, integrity, and availability impact. Langflow is commonly deployed as an internet-facing service for building and hosting LLM pipelines, meaning many instances are directly exposed. Symlink-based path traversal in archive extraction is a reliable, well-documented exploitation class requiring minimal attacker skill — this rates as trivial to exploit once a PoC surfaces.

Attack Kill Chain

Initial Access

Attacker identifies a publicly accessible Langflow instance (versions 1.0.0–1.9.1) via internet scanning tools querying for the Langflow web UI on default ports.

AML.T0049

Exploitation

Attacker uploads a crafted archive containing a malicious symlink resolving to a sensitive filesystem path outside the extraction directory, bypassing Langflow's symlink validation.

AML.T0050

Persistence

Symlink traversal allows writing an attacker-controlled payload (cron job, SSH authorized key, or web shell) to a privileged system path, establishing persistent access.

AML.T0072

Impact

Attacker achieves full host compromise, exfiltrating LLM API keys, vector database credentials, RAG document stores, and workflow configurations from the Langflow server.

AML.T0025

Initial Access

Attacker identifies a publicly accessible Langflow instance (versions 1.0.0–1.9.1) via internet scanning tools querying for the Langflow web UI on default ports.

AML.T0049

Exploitation

Attacker uploads a crafted archive containing a malicious symlink resolving to a sensitive filesystem path outside the extraction directory, bypassing Langflow's symlink validation.

AML.T0050

Persistence

Symlink traversal allows writing an attacker-controlled payload (cron job, SSH authorized key, or web shell) to a privileged system path, establishing persistent access.

AML.T0072

Impact

Attacker achieves full host compromise, exfiltrating LLM API keys, vector database credentials, RAG document stores, and workflow configurations from the Langflow server.

AML.T0025

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
langflow	pip	—	No patch
148.7K Pushed 3d ago 30% patched ~53d to patch Full package profile →

Do you use langflow? You're affected.

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

What should I do?

4 steps

Patch immediately: Upgrade Langflow to the fixed version specified in the IBM advisory at https://www.ibm.com/support/pages/node/7273426.
Network isolation (if patching is blocked): Firewall Langflow's default ports (7860/7861) to block all public internet access — restrict to internal networks or VPN only.
Detection: Audit web server logs for multipart POST requests uploading archive files (.zip, .tar.gz, .tar); inspect filesystem events for writes to sensitive paths (cron directories, SSH authorized_keys, web-accessible directories) initiated by the Langflow process user.
Credential rotation: Treat any internet-exposed Langflow instance as potentially compromised — rotate all LLM API keys, vector DB passwords, and any secrets accessible from the Langflow host environment.

Classification

Code Execution Supply Chain Framework Agent AML.T0010.001 - AI Software AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0072 - Reverse Shell

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.8.2 - AI system risk assessment

NIST AI RMF

MANAGE 2.2 - Mechanisms to respond to AI risks

OWASP LLM Top 10

LLM03 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-7524?

IBM Langflow OSS versions 1.0.0 through 1.9.1 contain a critical path traversal vulnerability (CWE-22) in archive extraction that allows an unauthenticated remote attacker to achieve full remote code execution with a single network request. With a CVSS score of 9.8 and no authentication, privileges, or user interaction required, this is the worst possible exploitability profile — any internet-exposed Langflow instance is a direct path to host compromise, including all LLM API keys, vector database credentials, and pipeline data stored on that host. While no public exploit currently exists and CISA has not added this to KEV, symlink traversal in archive extraction is a well-understood attack class and weaponized PoCs typically emerge within days of patch publication. Upgrade immediately to the patched version listed in the IBM advisory, or firewall all public access to Langflow ports until patching is complete.

Is CVE-2026-7524 actively exploited?

No confirmed active exploitation of CVE-2026-7524 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-7524?

1. Patch immediately: Upgrade Langflow to the fixed version specified in the IBM advisory at https://www.ibm.com/support/pages/node/7273426. 2. Network isolation (if patching is blocked): Firewall Langflow's default ports (7860/7861) to block all public internet access — restrict to internal networks or VPN only. 3. Detection: Audit web server logs for multipart POST requests uploading archive files (.zip, .tar.gz, .tar); inspect filesystem events for writes to sensitive paths (cron directories, SSH authorized_keys, web-accessible directories) initiated by the Langflow process user. 4. Credential rotation: Treat any internet-exposed Langflow instance as potentially compromised — rotate all LLM API keys, vector DB passwords, and any secrets accessible from the Langflow host environment.

What systems are affected by CVE-2026-7524?

This vulnerability affects the following AI/ML architecture patterns: LLM workflow pipelines, agent frameworks, no-code/low-code AI development platforms, RAG pipelines, model serving.

What is the CVSS score for CVE-2026-7524?

CVE-2026-7524 has a CVSS v3.1 base score of 9.8 (CRITICAL).

AI Security Impact

Affected AI Architectures

LLM workflow pipelinesagent frameworksno-code/low-code AI development platformsRAG pipelinesmodel serving

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0072 Reverse Shell

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.8.2

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM03

Technical Details

Original Advisory

IBM Langflow OSS 1.0.0 through 1.9.1 could allow remote code execution due to improper validation of symbolic links during archive extraction.

Exploitation Scenario

An attacker scans for internet-exposed Langflow instances (trivial via Shodan or Censys queries for the Langflow UI). They craft a ZIP archive containing a symlink entry that resolves to a sensitive path outside the extraction root — for example, a symlink named 'payload' pointing to /etc/cron.d/backdoor. When Langflow extracts the archive without validating symlink targets, the attacker's subsequent upload of the actual payload file follows the symlink and writes a cron job to the system crontab directory, achieving scheduled code execution as the Langflow process user. The entire attack chain requires two HTTP requests, no credentials, and is executable by a script-kiddie once a PoC is published.