AI Threat Alert

CVE-2026-7528: Langflow: DoS via uncontrolled resource consumption

HIGH
Published May 27, 2026
CISO Take

IBM Langflow OSS versions 1.0.0 through 1.9.0 contain an uncontrolled resource consumption flaw (CWE-400) that any authenticated user with low privileges can trigger remotely with no interaction required, earning a CVSS 7.1 High rating. The high availability impact means a successful exploit halts all Langflow-powered LLM workflows, agentic chains, and RAG pipelines on the affected host — a single rogue insider or compromised service account is sufficient. There is no confirmed in-the-wild exploitation and no public exploit today, but the low attack complexity makes opportunistic or accidental abuse plausible in any environment exposing Langflow to multiple users. Upgrade beyond 1.9.0 per IBM's advisory, and in the interim restrict API access to trusted identities and apply request rate limiting at the reverse proxy layer.

Sources: NVD ATLAS

What is the risk?

Medium-High. Network-accessible with low attack complexity and no user interaction required, but exploitation is gated behind at least low-privilege credentials, limiting immediate blast radius to authenticated actors — insiders, compromised service accounts, or multi-tenant users. The high availability impact means a successful exploit can fully disrupt Langflow-dependent AI services. Absence from CISA KEV and no public exploit reduce urgency, but the straightforward exploitation profile warrants patching within the normal patch cycle for any production Langflow deployment.

Attack Kill Chain

Initial Access
Attacker obtains low-privilege credentials to the Langflow instance via credential theft, insider access, or reuse of default or shared demo accounts.
AML.T0012
Exploitation
Attacker submits crafted API requests — such as deeply nested flow definitions or recursive execution triggers — that cause Langflow's engine to consume unbounded CPU and memory.
AML.T0049
Impact
Host resources are exhausted, causing complete denial of service for all Langflow users and halting all dependent LLM workflows, agentic pipelines, and RAG query services.
AML.T0029

What systems are affected?

Package Ecosystem Vulnerable Range Patched
langflow pip No patch
148.7K Pushed 3d ago 30% patched ~53d to patch Full package profile →

Do you use langflow? You're affected.

Severity & Risk

CVSS 3.1
7.1 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C Low
I None
A High

What should I do?

5 steps

  1. Patch: Upgrade IBM Langflow OSS to a version beyond 1.9.0; confirm the fixed release in IBM's advisory at https://www.ibm.com/support/pages/node/7273427.

  2. Access restriction: Until patched, limit Langflow API endpoints to explicitly authorized users and known IP ranges; remove or suspend all unnecessary low-privilege accounts.

  3. Rate limiting: Apply per-session request rate limits and payload size caps at the reverse proxy or API gateway.

  4. Monitor: Alert on abnormal CPU/memory spikes in the Langflow container or process — a sudden resource spike from a single session is a strong indicator.

  5. Audit: Enumerate all low-privilege accounts with API access and verify they are still needed.

Classification

DoS Framework AML.T0029 AML.T0034.001 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 9 - Risk Management System
ISO 42001
A.9.3 - AI System Availability and Resilience
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain AI system deployment
OWASP LLM Top 10
LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2026-7528?

IBM Langflow OSS versions 1.0.0 through 1.9.0 contain an uncontrolled resource consumption flaw (CWE-400) that any authenticated user with low privileges can trigger remotely with no interaction required, earning a CVSS 7.1 High rating. The high availability impact means a successful exploit halts all Langflow-powered LLM workflows, agentic chains, and RAG pipelines on the affected host — a single rogue insider or compromised service account is sufficient. There is no confirmed in-the-wild exploitation and no public exploit today, but the low attack complexity makes opportunistic or accidental abuse plausible in any environment exposing Langflow to multiple users. Upgrade beyond 1.9.0 per IBM's advisory, and in the interim restrict API access to trusted identities and apply request rate limiting at the reverse proxy layer.

Is CVE-2026-7528 actively exploited?

No confirmed active exploitation of CVE-2026-7528 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-7528?

1. Patch: Upgrade IBM Langflow OSS to a version beyond 1.9.0; confirm the fixed release in IBM's advisory at https://www.ibm.com/support/pages/node/7273427. 2. Access restriction: Until patched, limit Langflow API endpoints to explicitly authorized users and known IP ranges; remove or suspend all unnecessary low-privilege accounts. 3. Rate limiting: Apply per-session request rate limits and payload size caps at the reverse proxy or API gateway. 4. Monitor: Alert on abnormal CPU/memory spikes in the Langflow container or process — a sudden resource spike from a single session is a strong indicator. 5. Audit: Enumerate all low-privilege accounts with API access and verify they are still needed.

What systems are affected by CVE-2026-7528?

This vulnerability affects the following AI/ML architecture patterns: LLM workflow orchestration, agent frameworks, RAG pipelines, AI application backends.

What is the CVSS score for CVE-2026-7528?

CVE-2026-7528 has a CVSS v3.1 base score of 7.1 (HIGH).

AI Security Impact

Affected AI Architectures

LLM workflow orchestrationagent frameworksRAG pipelinesAI application backends

MITRE ATLAS Techniques

AML.T0029 Denial of AI Service
AML.T0034.001 Resource-Intensive Queries
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: A.9.3
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM04

Technical Details

Original Advisory

IBM Langflow OSS 1.0.0 through 1.9.0 could allow a denial of service due to uncontrolled resource consumption.

Exploitation Scenario

An attacker with a low-privilege Langflow account — an insider, a shared demo credential, or a compromised CI/CD service account — submits a sequence of crafted flow execution requests containing deeply nested chain definitions or recursive trigger patterns. Langflow's execution engine processes these without enforcing resource caps, consuming unbounded CPU and memory until the host process is exhausted. Within minutes, all legitimate workflow invocations fail with timeout or OOM errors. The attacker needs no special AI/ML knowledge: the trigger is a malformed API payload, not a sophisticated model attack.

Weaknesses (CWE)

CWE-400 Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

References

Timeline

Published
May 27, 2026
Last Modified
May 27, 2026
First Seen
May 27, 2026

Related Vulnerabilities

CRITICAL CVE-2026-33309 9.9

langflow: Path Traversal enables file access

Same package: langflow
CRITICAL CVE-2024-37014 9.8

Langflow: unauthenticated RCE via custom component API

Same package: langflow
CRITICAL CVE-2026-27966 9.8

langflow: Code Injection enables RCE

Same package: langflow
CRITICAL CVE-2026-33017 9.8

langflow: Code Injection enables RCE

Same package: langflow
CRITICAL CVE-2024-42835 9.8

Langflow: Unauthenticated RCE via PythonCodeTool

Same package: langflow
Back to Threat Feed