CVE-2026-6543
HIGHIBM Langflow Desktop Code Validation Endpoint - Authenticated RCE
Title source: manualDescription
IBM Langflow Desktop 1.0.0 through 1.8.4 Langflow allows an attacker to execute arbitrary commands with the privileges of the process running Langflow. This allows reading sensitive environment variables (API keys, DB credentials), modifying files, or launching further attacks on the internal network.
References (1)
Core 1
Core References
Vendor Advisory vendor-advisory
patch
https://www.ibm.com/support/pages/node/7271092
Scores
CVSS v3
8.8
EPSS
0.0047
EPSS Percentile
36.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-94
Status
published
Products (2)
IBM/Langflow Desktop
1.0.0 - 1.8.4
langflow/langflow_desktop
1.0.0 - 1.8.4
Published
Apr 30, 2026
Tracked Since
May 01, 2026