CVE-2026-7528
Analyzed Analyzed - Analysis Complete
IBM Langflow OSS Denial of Service Vulnerability

Publication date: 2026-05-27

Last updated on: 2026-06-02

Assigner: IBM Corporation

Description
IBM Langflow OSS 1.0.0 through 1.9.0 could allow a denial of service due to uncontrolled resource consumption.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-02
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-7528
EUVD
EUVD-2026-32495
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
langflow langflow From 1.0.0 (inc) to 1.9.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-7528 is a vulnerability in IBM Langflow OSS versions 1.0.0 through 1.9.0 that allows unauthenticated users to upload unlimited files to the server via a deprecated API endpoint without any authentication or validation.

This happens because the /api/v1/upload/{flow_id} endpoint lacks authentication checks and does not validate the flow_id parameter, enabling attackers with network access to repeatedly upload files using any UUID.

As a result, attackers can cause uncontrolled resource consumption, specifically disk space exhaustion, leading to a denial of service (DoS). Additionally, the vulnerability can lead to information disclosure through absolute file path leakage in API responses.

Compliance Impact

The provided information does not specify how the vulnerability directly impacts compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability can impact you by allowing attackers to exhaust the server's disk space through unlimited file uploads, causing a denial of service (DoS) that disrupts normal operations.

Furthermore, the vulnerability can expose sensitive information by leaking absolute file paths in API responses, which could aid attackers in further exploitation.

Detection Guidance

This vulnerability can be detected by monitoring for unusual or excessive file upload activity to the Langflow OSS server, specifically targeting the deprecated /api/v1/upload/{flow_id} endpoint without authentication.

Commands to detect this may include network traffic inspection or web server access log analysis to identify repeated POST requests to the /api/v1/upload/ endpoint with various UUIDs.

  • Use tools like curl or wget to test the endpoint manually, for example: curl -X POST http://<server>/api/v1/upload/<flow_id> -F 'file=@testfile'
  • Check web server logs for repeated POST requests to /api/v1/upload/ with different flow_id values.
  • Use network monitoring tools (e.g., tcpdump, Wireshark) to capture and analyze traffic targeting the vulnerable endpoint.
Mitigation Strategies

Immediate mitigation steps include upgrading Langflow OSS to version 1.9.2, which addresses the vulnerability.

Additional recommended mitigations are:

  • Add authentication to the /api/v1/upload/{flow_id} endpoint to prevent unauthenticated uploads.
  • Implement upload rate limiting and size restrictions to control resource consumption.
  • Validate the flow_id parameter against existing flows to prevent arbitrary file uploads.
  • Modify API responses to return only relative paths or filenames to prevent information disclosure.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7528. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart