CVE-2026-7873
Received Received - Intake

Authenticated OS Command Injection in IBM Langflow OSS

Vulnerability report for CVE-2026-7873, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: IBM Corporation

Description

IBM Langflow OSS 1.0.0 through 1.10.0 allows authenticated attackers to execute arbitrary OS commands and read sensitive files including credentials, enabling complete system compromise and lateral movement.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-07-01
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
ibm langflow_oss From 1.0.0 (inc) to 1.10.0 (inc)
ibm langflow From 1.0.0 (inc) to 1.10.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-7873 is a code injection vulnerability in IBM Langflow OSS versions 1.0.0 through 1.10.0. It allows authenticated attackers to execute arbitrary operating system commands and read sensitive files, including credentials.

The root cause is improper control of code generation, which lets attackers exploit Python's default argument evaluation to execute code during the validation process without the function being explicitly called.

This vulnerability enables complete system compromise and lateral movement within affected environments.

Impact Analysis

This vulnerability can have severe impacts including complete system compromise.

  • Attackers can execute arbitrary OS commands.
  • Attackers can read sensitive files, including credentials.
  • It enables lateral movement within the affected environment.

Overall, it affects confidentiality, integrity, and availability of the system.

Mitigation Strategies

To mitigate the vulnerability in IBM Langflow OSS versions 1.0.0 through 1.10.0, IBM strongly recommends upgrading Langflow OSS to version 1.10.1.

The vulnerability is caused by improper control of code generation allowing arbitrary OS command execution during validation. The fix involves removing the execution step from the validation path and using compile-only validation.

Compliance Impact

The vulnerability allows attackers to execute arbitrary OS commands and read sensitive files, including credentials, leading to complete system compromise and lateral movement. Such a compromise can result in unauthorized access to sensitive personal or protected health information.

This level of unauthorized access and data exposure can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and maintaining confidentiality, integrity, and availability of information systems.

Therefore, organizations using affected versions of IBM Langflow OSS may face increased risk of non-compliance due to potential data breaches and system compromises stemming from this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7873. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart