CVE-2026-7874
CRITICALIBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow disclosure of all stored credentials due to the use of a weak and reversible key derivation mechanism for encryption at...
Full CISO analysis pending enrichment.
How severe is it?
What is the attack surface?
What should I do?
No patch available
Monitor for updates. Consider compensating controls or temporary mitigations.
Which compliance frameworks are affected?
Compliance analysis pending. Sign in for full compliance mapping when available.
Frequently Asked Questions
What is CVE-2026-7874?
IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow disclosure of all stored credentials due to the use of a weak and reversible key derivation mechanism for encryption at rest.
Is CVE-2026-7874 actively exploited?
No confirmed active exploitation of CVE-2026-7874 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-7874?
No patch is currently available. Monitor vendor advisories for updates.
What is the CVSS score for CVE-2026-7874?
CVE-2026-7874 has a CVSS v3.1 base score of 9.1 (CRITICAL).
What are the technical details?
Original Advisory
IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow disclosure of all stored credentials due to the use of a weak and reversible key derivation mechanism for encryption at rest.
Weaknesses (CWE)
CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Primary
CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) CWE-338 — Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG): The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
- [Implementation] Use functions or hardware which use a hardware-based random number generation for all crypto. This is the recommended solution. Use CyptGenRandom on Windows, or hw_rand() on Linux.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N