CVE-2026-7667
Received Received - Intake

Arbitrary File Write via Malicious Flow in IBM Langflow OSS

Vulnerability report for CVE-2026-7667, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: IBM Corporation

Description

IBM Langflow OSS 1.0.0 through 1.10.0 allows an authenticated attacker to create a malicious flow pointing to an attacker-controlled URL that returns a specially crafted Content-Disposition header (e.g., filename="../../../target/path" ), enabling arbitrary file write operations with attacker-controlled content to any path accessible by the Langflow process.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
ibm langflow From 1.0.0 (inc) to 1.10.0 (inc)
ibm langflow_oss From 1.0.0 (inc) to 1.10.0 (inc)
ibm langflow_oss 1.10.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-7667 is a path traversal vulnerability in IBM Langflow OSS versions 1.0.0 through 1.10.0. An authenticated attacker can create a malicious flow that points to an attacker-controlled URL. When the flow executes and saves a file from the URL, the Content-Disposition header can be manipulated to write arbitrary files to any accessible path on the system.

Detection Guidance

Check for unauthorized file writes in logs or unexpected file modifications in directories accessible by Langflow. Inspect API Request component configurations for flows with save_to_file=True pointing to external URLs.

Impact Analysis

This vulnerability allows an attacker to write malicious files to any location accessible by the Langflow process. This could lead to remote code execution by overwriting critical files like shell configurations, SSH keys, or Python files. An attacker could gain control over the affected system.

Mitigation Strategies

Upgrade Langflow OSS to version 1.10.1 or later immediately. Review and remove any suspicious flows or configurations that use the API Request component with save_to_file=True.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7667. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart