CVE-2026-7528: Langflow: DoS via uncontrolled resource consumption

HIGH PoC AVAILABLE
Published May 27, 2026
CISO Take

IBM Langflow OSS versions 1.0.0 through 1.9.0 contain an uncontrolled resource consumption flaw (CWE-400) that any authenticated user with low privileges can trigger remotely with no interaction required, earning a CVSS 7.1 High rating. The high availability impact means a successful exploit halts all Langflow-powered LLM workflows, agentic chains, and RAG pipelines on the affected host — a single rogue insider or compromised service account is sufficient. There is no confirmed in-the-wild exploitation and no public exploit today, but the low attack complexity makes opportunistic or accidental abuse plausible in any environment exposing Langflow to multiple users. Upgrade beyond 1.9.0 per IBM's advisory, and in the interim restrict API access to trusted identities and apply request rate limiting at the reverse proxy layer.

Sources: NVD ATLAS

What is the risk?

Medium-High. Network-accessible with low attack complexity and no user interaction required, but exploitation is gated behind at least low-privilege credentials, limiting immediate blast radius to authenticated actors — insiders, compromised service accounts, or multi-tenant users. The high availability impact means a successful exploit can fully disrupt Langflow-dependent AI services. Absence from CISA KEV and no public exploit reduce urgency, but the straightforward exploitation profile warrants patching within the normal patch cycle for any production Langflow deployment.

How does the attack unfold?

Initial Access
Attacker obtains low-privilege credentials to the Langflow instance via credential theft, insider access, or reuse of default or shared demo accounts.
AML.T0012
Exploitation
Attacker submits crafted API requests — such as deeply nested flow definitions or recursive execution triggers — that cause Langflow's engine to consume unbounded CPU and memory.
AML.T0049
Impact
Host resources are exhausted, causing complete denial of service for all Langflow users and halting all dependent LLM workflows, agentic pipelines, and RAG query services.
AML.T0029

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Langflow pip No patch
151.7K Pushed today 35% patched ~67d to patch Full package profile →

Do you use Langflow? You're affected.

How severe is it?

CVSS 3.1
7.5 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 12% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I None
A High

What should I do?

5 steps
  1. Patch: Upgrade IBM Langflow OSS to a version beyond 1.9.0; confirm the fixed release in IBM's advisory at https://www.ibm.com/support/pages/node/7273427.

  2. Access restriction: Until patched, limit Langflow API endpoints to explicitly authorized users and known IP ranges; remove or suspend all unnecessary low-privilege accounts.

  3. Rate limiting: Apply per-session request rate limits and payload size caps at the reverse proxy or API gateway.

  4. Monitor: Alert on abnormal CPU/memory spikes in the Langflow container or process — a sudden resource spike from a single session is a strong indicator.

  5. Audit: Enumerate all low-privilege accounts with API access and verify they are still needed.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 9 - Risk Management System
ISO 42001
A.9.3 - AI System Availability and Resilience
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain AI system deployment
OWASP LLM Top 10
LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2026-7528?

IBM Langflow OSS versions 1.0.0 through 1.9.0 contain an uncontrolled resource consumption flaw (CWE-400) that any authenticated user with low privileges can trigger remotely with no interaction required, earning a CVSS 7.1 High rating. The high availability impact means a successful exploit halts all Langflow-powered LLM workflows, agentic chains, and RAG pipelines on the affected host — a single rogue insider or compromised service account is sufficient. There is no confirmed in-the-wild exploitation and no public exploit today, but the low attack complexity makes opportunistic or accidental abuse plausible in any environment exposing Langflow to multiple users. Upgrade beyond 1.9.0 per IBM's advisory, and in the interim restrict API access to trusted identities and apply request rate limiting at the reverse proxy layer.

Is CVE-2026-7528 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-7528, increasing the risk of exploitation.

How to fix CVE-2026-7528?

1. Patch: Upgrade IBM Langflow OSS to a version beyond 1.9.0; confirm the fixed release in IBM's advisory at https://www.ibm.com/support/pages/node/7273427. 2. Access restriction: Until patched, limit Langflow API endpoints to explicitly authorized users and known IP ranges; remove or suspend all unnecessary low-privilege accounts. 3. Rate limiting: Apply per-session request rate limits and payload size caps at the reverse proxy or API gateway. 4. Monitor: Alert on abnormal CPU/memory spikes in the Langflow container or process — a sudden resource spike from a single session is a strong indicator. 5. Audit: Enumerate all low-privilege accounts with API access and verify they are still needed.

What systems are affected by CVE-2026-7528?

This vulnerability affects the following AI/ML architecture patterns: LLM workflow orchestration, agent frameworks, RAG pipelines, AI application backends.

What is the CVSS score for CVE-2026-7528?

CVE-2026-7528 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.21%.

What is the AI security impact?

Affected AI Architectures

LLM workflow orchestrationagent frameworksRAG pipelinesAI application backends

MITRE ATLAS Techniques

AML.T0029 Denial of AI Service
AML.T0034.001 Resource-Intensive Queries
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: A.9.3
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM04

What are the technical details?

Original Advisory

IBM Langflow OSS 1.0.0 through 1.9.0 could allow a denial of service due to uncontrolled resource consumption.

Exploitation Scenario

An attacker with a low-privilege Langflow account — an insider, a shared demo credential, or a compromised CI/CD service account — submits a sequence of crafted flow execution requests containing deeply nested chain definitions or recursive trigger patterns. Langflow's execution engine processes these without enforcing resource caps, consuming unbounded CPU and memory until the host process is exhausted. Within minutes, all legitimate workflow invocations fail with timeout or OOM errors. The attacker needs no special AI/ML knowledge: the trigger is a malformed API payload, not a sophisticated model attack.

Weaknesses (CWE)

CWE-400 — Uncontrolled Resource Consumption: The product does not properly control the allocation and maintenance of a limited resource.

  • [Architecture and Design] Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
  • [Architecture and Design] Mitigation of resource exhaustion attacks requires that the target system either: The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question. The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker. recognizes the attack and denies that user further access for a given amount of time, or uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Timeline

Published
May 27, 2026
Last Modified
June 2, 2026
First Seen
May 27, 2026

Related Vulnerabilities