CVE-2026-7528: Langflow: DoS via uncontrolled resource consumption
HIGH PoC AVAILABLEIBM Langflow OSS versions 1.0.0 through 1.9.0 contain an uncontrolled resource consumption flaw (CWE-400) that any authenticated user with low privileges can trigger remotely with no interaction required, earning a CVSS 7.1 High rating. The high availability impact means a successful exploit halts all Langflow-powered LLM workflows, agentic chains, and RAG pipelines on the affected host — a single rogue insider or compromised service account is sufficient. There is no confirmed in-the-wild exploitation and no public exploit today, but the low attack complexity makes opportunistic or accidental abuse plausible in any environment exposing Langflow to multiple users. Upgrade beyond 1.9.0 per IBM's advisory, and in the interim restrict API access to trusted identities and apply request rate limiting at the reverse proxy layer.
What is the risk?
Medium-High. Network-accessible with low attack complexity and no user interaction required, but exploitation is gated behind at least low-privilege credentials, limiting immediate blast radius to authenticated actors — insiders, compromised service accounts, or multi-tenant users. The high availability impact means a successful exploit can fully disrupt Langflow-dependent AI services. Absence from CISA KEV and no public exploit reduce urgency, but the straightforward exploitation profile warrants patching within the normal patch cycle for any production Langflow deployment.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Langflow | pip | — | No patch |
Do you use Langflow? You're affected.
How severe is it?
What is the attack surface?
What should I do?
5 steps-
Patch: Upgrade IBM Langflow OSS to a version beyond 1.9.0; confirm the fixed release in IBM's advisory at https://www.ibm.com/support/pages/node/7273427.
-
Access restriction: Until patched, limit Langflow API endpoints to explicitly authorized users and known IP ranges; remove or suspend all unnecessary low-privilege accounts.
-
Rate limiting: Apply per-session request rate limits and payload size caps at the reverse proxy or API gateway.
-
Monitor: Alert on abnormal CPU/memory spikes in the Langflow container or process — a sudden resource spike from a single session is a strong indicator.
-
Audit: Enumerate all low-privilege accounts with API access and verify they are still needed.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-7528?
IBM Langflow OSS versions 1.0.0 through 1.9.0 contain an uncontrolled resource consumption flaw (CWE-400) that any authenticated user with low privileges can trigger remotely with no interaction required, earning a CVSS 7.1 High rating. The high availability impact means a successful exploit halts all Langflow-powered LLM workflows, agentic chains, and RAG pipelines on the affected host — a single rogue insider or compromised service account is sufficient. There is no confirmed in-the-wild exploitation and no public exploit today, but the low attack complexity makes opportunistic or accidental abuse plausible in any environment exposing Langflow to multiple users. Upgrade beyond 1.9.0 per IBM's advisory, and in the interim restrict API access to trusted identities and apply request rate limiting at the reverse proxy layer.
Is CVE-2026-7528 actively exploited?
Proof-of-concept exploit code is publicly available for CVE-2026-7528, increasing the risk of exploitation.
How to fix CVE-2026-7528?
1. Patch: Upgrade IBM Langflow OSS to a version beyond 1.9.0; confirm the fixed release in IBM's advisory at https://www.ibm.com/support/pages/node/7273427. 2. Access restriction: Until patched, limit Langflow API endpoints to explicitly authorized users and known IP ranges; remove or suspend all unnecessary low-privilege accounts. 3. Rate limiting: Apply per-session request rate limits and payload size caps at the reverse proxy or API gateway. 4. Monitor: Alert on abnormal CPU/memory spikes in the Langflow container or process — a sudden resource spike from a single session is a strong indicator. 5. Audit: Enumerate all low-privilege accounts with API access and verify they are still needed.
What systems are affected by CVE-2026-7528?
This vulnerability affects the following AI/ML architecture patterns: LLM workflow orchestration, agent frameworks, RAG pipelines, AI application backends.
What is the CVSS score for CVE-2026-7528?
CVE-2026-7528 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.21%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0029 Denial of AI Service AML.T0034.001 Resource-Intensive Queries AML.T0049 Exploit Public-Facing Application Compliance Controls Affected
What are the technical details?
Original Advisory
IBM Langflow OSS 1.0.0 through 1.9.0 could allow a denial of service due to uncontrolled resource consumption.
Exploitation Scenario
An attacker with a low-privilege Langflow account — an insider, a shared demo credential, or a compromised CI/CD service account — submits a sequence of crafted flow execution requests containing deeply nested chain definitions or recursive trigger patterns. Langflow's execution engine processes these without enforcing resource caps, consuming unbounded CPU and memory until the host process is exhausted. Within minutes, all legitimate workflow invocations fail with timeout or OOM errors. The attacker needs no special AI/ML knowledge: the trigger is a malformed API payload, not a sophisticated model attack.
Weaknesses (CWE)
CWE-400 — Uncontrolled Resource Consumption: The product does not properly control the allocation and maintenance of a limited resource.
- [Architecture and Design] Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
- [Architecture and Design] Mitigation of resource exhaustion attacks requires that the target system either: The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question. The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker. recognizes the attack and denies that user further access for a given amount of time, or uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References
Timeline
Related Vulnerabilities
CVE-2026-10561 10.0 Langflow: auth bypass + unauthenticated RCE (CVSS 10)
Same package: langflow CVE-2026-10134 10.0 Langflow: unauthenticated RCE via tool_code injection
Same package: langflow CVE-2026-33309 9.9 langflow: Path Traversal enables file access
Same package: langflow CVE-2026-55255 9.9 Langflow: IDOR allows cross-user flow execution
Same package: langflow CVE-2026-7873 9.9 Langflow: authenticated RCE enables credential theft
Same package: langflow