CVE-2026-7871: CWE-502 Deserialization of Untrusted Data in IBM Langflow OSS
IBM Langflow OSS versions 1.0.0 through 1.10.0 contain a deserialization vulnerability (CWE-502) that allows users with Redis access to execute arbitrary code with full application privileges. This can lead to complete compromise of secrets, data, and system integrity. The vulnerability has a critical CVSS score of 9.8. No official patch or remediation guidance is currently available from the vendor.
AI Analysis
Technical Summary
CVE-2026-7871 is a critical deserialization of untrusted data vulnerability in IBM Langflow OSS versions 1.0.0 through 1.10.0. The flaw allows an attacker with access to Redis to execute arbitrary code within the application context, potentially compromising all sensitive information and the integrity of the system. The vulnerability is identified as CWE-502 and has a CVSS 3.1 base score of 9.8, indicating high exploitability and impact. No vendor advisory or patch has been published to date.
Potential Impact
Successful exploitation enables arbitrary code execution with full application privileges, leading to complete compromise of application secrets, data confidentiality, integrity, and availability. This can result in unauthorized access, data leakage, and system control by an attacker with Redis access.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict and monitor access to Redis instances used by IBM Langflow OSS to trusted users only, and consider isolating the Redis service to reduce exposure.
CVE-2026-7871: CWE-502 Deserialization of Untrusted Data in IBM Langflow OSS
Description
IBM Langflow OSS versions 1.0.0 through 1.10.0 contain a deserialization vulnerability (CWE-502) that allows users with Redis access to execute arbitrary code with full application privileges. This can lead to complete compromise of secrets, data, and system integrity. The vulnerability has a critical CVSS score of 9.8. No official patch or remediation guidance is currently available from the vendor.
CVSS v3.1
Score 9.8critical
Affected software
cpe:2.3:a:ibm:langflow_oss:1.0.0:*:*:*:*:*:*:*cpe:2.3:a:ibm:langflow_oss:1.10.0:*:*:*:*:*:*:*Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-7871 is a critical deserialization of untrusted data vulnerability in IBM Langflow OSS versions 1.0.0 through 1.10.0. The flaw allows an attacker with access to Redis to execute arbitrary code within the application context, potentially compromising all sensitive information and the integrity of the system. The vulnerability is identified as CWE-502 and has a CVSS 3.1 base score of 9.8, indicating high exploitability and impact. No vendor advisory or patch has been published to date.
Potential Impact
Successful exploitation enables arbitrary code execution with full application privileges, leading to complete compromise of application secrets, data confidentiality, integrity, and availability. This can result in unauthorized access, data leakage, and system control by an attacker with Redis access.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict and monitor access to Redis instances used by IBM Langflow OSS to trusted users only, and consider isolating the Redis service to reduce exposure.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- ibm
- Date Reserved
- 2026-05-05T14:14:39.413Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a441ac027e9c7971948ab6d
Added to database: 06/30/2026, 19:36:32 UTC
Last enriched: 06/30/2026, 19:51:28 UTC
Last updated: 06/30/2026, 20:41:53 UTC
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.