CVE-2026-7874

CRITICAL
Published June 30, 2026

IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow disclosure of all stored credentials due to the use of a weak and reversible key derivation mechanism for encryption at...

Full CISO analysis pending enrichment.

How severe is it?

CVSS 3.1
9.1 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
N/A

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A None

What should I do?

No patch available

Monitor for updates. Consider compensating controls or temporary mitigations.

Which compliance frameworks are affected?

Compliance analysis pending. Sign in for full compliance mapping when available.

Frequently Asked Questions

What is CVE-2026-7874?

IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow disclosure of all stored credentials due to the use of a weak and reversible key derivation mechanism for encryption at rest.

Is CVE-2026-7874 actively exploited?

No confirmed active exploitation of CVE-2026-7874 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-7874?

No patch is currently available. Monitor vendor advisories for updates.

What is the CVSS score for CVE-2026-7874?

CVE-2026-7874 has a CVSS v3.1 base score of 9.1 (CRITICAL).

What are the technical details?

Original Advisory

IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow disclosure of all stored credentials due to the use of a weak and reversible key derivation mechanism for encryption at rest.

Weaknesses (CWE)

CWE-338 — Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG): The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

  • [Implementation] Use functions or hardware which use a hardware-based random number generation for all crypto. This is the recommended solution. Use CyptGenRandom on Windows, or hw_rand() on Linux.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Timeline

Published
June 30, 2026
Last Modified
June 30, 2026
First Seen
June 30, 2026