CVE-2026-8476: Langflow: pickle deserialization RCE via disk cache (CVSS 9.9)

CRITICAL
Published July 17, 2026
CISO Take

IBM Langflow's AsyncDiskCache deserializes cached objects with Python's pickle.loads() without any integrity check or authentication, so anything that can influence what gets written to that cache — a crafted workflow input, a malicious custom component, direct file system access, or API manipulation — can hand an attacker arbitrary code execution as the Langflow server process. This scores CVSS 9.9 (network, low complexity, low privileges, no user interaction, scope change, full confidentiality/integrity/availability loss), which is about as bad as it gets for a framework that's frequently exposed as an internal or even public-facing low-code agent builder. There is no EPSS score, no CISA KEV listing, and no known public exploit or Nuclei template yet, so this hasn't been weaponized in the wild as of today — but pickle deserialization RCE is one of the best-understood exploitation primitives in Python security tooling, meaning a working exploit is trivial to develop once someone looks. Patch to a fixed Langflow release immediately (check the IBM support advisory for the version boundary), and until patched, restrict network access to Langflow instances, disable or tightly sandbox custom components, and treat any low-privilege user with workflow-authoring rights as capable of full server compromise. Detection teams should flag unexpected `pickle`/deserialization-related process spawns or outbound connections from Langflow hosts as a priority indicator.

Sources: NVD ATLAS ibm.com

What is the risk?

Critical risk. The vulnerability requires only low privileges and no user interaction, is remotely reachable (AV:N), and requires low attack complexity — the main barrier to mass exploitation is the current absence of a public PoC or scanner template, not any technical difficulty in constructing a pickle-based RCE payload. Given the well-documented state of pickle exploitation techniques, functional exploit code is likely to appear quickly. Any organization running Langflow with network exposure or with less-trusted users able to create workflows, custom components, or trigger cache writes should treat this as an active, high-priority patch item, not a background risk.

How does the attack unfold?

Initial Access
Attacker with low-privilege access submits a crafted workflow input, custom component, or API call designed to influence Langflow's disk cache contents.
AML.T0049
Malicious Payload Staging
A malicious pickle payload is written to or otherwise reaches the AsyncDiskCache storage as a cached object.
AML.T0011.000
Exploitation
Langflow deserializes the cached object with pickle.loads() without validation, triggering execution of attacker-controlled code with server-process privileges.
Impact
Attacker achieves full system compromise, accessing credentials, pivoting internally, or establishing persistence via reverse shell.
AML.T0072

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Langflow pip No patch
151.7K Pushed 5d ago 31% patched ~70d to patch Full package profile →

Do you use Langflow? You're affected.

How severe is it?

CVSS 3.1
9.9 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Moderate

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Changed
C High
I High
A High

What should I do?

1 step
  1. 1) Upgrade Langflow to the patched release referenced in IBM's advisory (support.ibm.com/pages/node/7278922) as soon as it is available/confirmed — versions 1.0.0 through 1.10.0 are affected. 2) Until patched, do not expose Langflow instances directly to the internet; place them behind authenticated network access (VPN, allowlisted IPs). 3) Restrict who can author workflows, upload custom components, or otherwise write to the disk cache — treat workflow-author privileges as equivalent to code-execution privileges on the host. 4) Monitor the AsyncDiskCache directory and file system for unexpected writes, and monitor the Langflow process for anomalous child processes or outbound network connections consistent with a reverse shell. 5) Rotate any credentials/API keys accessible to the Langflow server process as a precaution if exposure is suspected. 6) Consider running Langflow in a sandboxed/least-privilege container with no unnecessary host access while awaiting the patch.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
Annex A.6.2 - AI system life cycle security
NIST AI RMF
MEASURE 2.7 - AI system security and resilience are evaluated and documented
OWASP LLM Top 10
LLM03 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-8476?

IBM Langflow's AsyncDiskCache deserializes cached objects with Python's pickle.loads() without any integrity check or authentication, so anything that can influence what gets written to that cache — a crafted workflow input, a malicious custom component, direct file system access, or API manipulation — can hand an attacker arbitrary code execution as the Langflow server process. This scores CVSS 9.9 (network, low complexity, low privileges, no user interaction, scope change, full confidentiality/integrity/availability loss), which is about as bad as it gets for a framework that's frequently exposed as an internal or even public-facing low-code agent builder. There is no EPSS score, no CISA KEV listing, and no known public exploit or Nuclei template yet, so this hasn't been weaponized in the wild as of today — but pickle deserialization RCE is one of the best-understood exploitation primitives in Python security tooling, meaning a working exploit is trivial to develop once someone looks. Patch to a fixed Langflow release immediately (check the IBM support advisory for the version boundary), and until patched, restrict network access to Langflow instances, disable or tightly sandbox custom components, and treat any low-privilege user with workflow-authoring rights as capable of full server compromise. Detection teams should flag unexpected `pickle`/deserialization-related process spawns or outbound connections from Langflow hosts as a priority indicator.

Is CVE-2026-8476 actively exploited?

No confirmed active exploitation of CVE-2026-8476 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-8476?

1) Upgrade Langflow to the patched release referenced in IBM's advisory (support.ibm.com/pages/node/7278922) as soon as it is available/confirmed — versions 1.0.0 through 1.10.0 are affected. 2) Until patched, do not expose Langflow instances directly to the internet; place them behind authenticated network access (VPN, allowlisted IPs). 3) Restrict who can author workflows, upload custom components, or otherwise write to the disk cache — treat workflow-author privileges as equivalent to code-execution privileges on the host. 4) Monitor the AsyncDiskCache directory and file system for unexpected writes, and monitor the Langflow process for anomalous child processes or outbound network connections consistent with a reverse shell. 5) Rotate any credentials/API keys accessible to the Langflow server process as a precaution if exposure is suspected. 6) Consider running Langflow in a sandboxed/least-privilege container with no unnecessary host access while awaiting the patch.

What systems are affected by CVE-2026-8476?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, low-code/no-code AI pipeline builders, workflow orchestration.

What is the CVSS score for CVE-2026-8476?

CVE-2026-8476 has a CVSS v3.1 base score of 9.9 (CRITICAL).

What is the AI security impact?

Affected AI Architectures

agent frameworkslow-code/no-code AI pipeline buildersworkflow orchestration

MITRE ATLAS Techniques

AML.T0010.005 AI Agent Tool
AML.T0011.000 Unsafe AI Artifacts
AML.T0049 Exploit Public-Facing Application
AML.T0072 Reverse Shell

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: Annex A.6.2
NIST AI RMF: MEASURE 2.7
OWASP LLM Top 10: LLM03

What are the technical details?

Original Advisory

IBM Langflow OSS 1.0.0 through 1.10.0 contain a critical remote code execution vulnerability in the disk-based caching mechanism. The AsyncDiskCache class uses Python's unsafe pickle.loads() function to deserialize cached objects from disk without validation, integrity verification, or authentication, enabling arbitrary code execution when malicious pickle payloads are processed. Attackers who can influence cached data through file system access, malicious workflow inputs, custom components, or API manipulation can achieve complete system compromise with the privileges of the Langflow server process.

Exploitation Scenario

An attacker with low-privilege access to a Langflow instance — for example, a workflow-builder account in a multi-tenant deployment, or an external actor who can reach the API — crafts a malicious pickle payload disguised as workflow input data or embeds it via a custom component. When Langflow's AsyncDiskCache later deserializes this cached object using pickle.loads(), the payload executes arbitrary Python code with the privileges of the Langflow server process. From there, the attacker can pivot to read environment variables and API keys, access any connected vector databases or LLM provider credentials, move laterally within the internal network, or establish persistence — achieving full compromise of the AI application stack from what began as an ordinary-looking workflow submission.

Weaknesses (CWE)

CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

  • [Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
  • [Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Timeline

Published
July 17, 2026
Last Modified
July 17, 2026
First Seen
July 17, 2026

Related Vulnerabilities