CVE-2026-6543

HIGH

Authenticated Remote Code Execution Vulnerability in Langflow Code Validation Endpoint

Title source: cna

Description

IBM Langflow Desktop 1.0.0 through 1.8.4 Langflow allows an attacker to execute arbitrary commands with the privileges of the process running Langflow. This allows reading sensitive environment variables (API keys, DB credentials), modifying files, or launching further attacks on the internal network.

References (1)

[Vendor Advisory] https://www.ibm.com/support/pages/node/7271092

Scores

CVSS v3 8.8

EPSS 0.0004

EPSS Percentile 11.0%

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-94

Status published

Products (1)

IBM/Langflow Desktop 1.0.0 - 1.8.4

Published Apr 30, 2026

Tracked Since May 01, 2026