CVE-2026-0772
Deserialization RCE in Langflow Disk Cache Requires Authentication
Publication date: 2026-01-23
Last updated on: 2026-02-18
Assigner: Zero Day Initiative
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| langflow | langflow | 1.5.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Langflow's disk cache service occurs because the software does not properly validate user-supplied data, leading to deserialization of untrusted data. An attacker who is authenticated can exploit this flaw to execute arbitrary code remotely with the privileges of the service account running the disk cache service. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker to execute arbitrary code on the affected system remotely, potentially leading to full compromise of the service running Langflow. This could result in unauthorized actions, data manipulation, or further attacks within the environment. [1]