CVE-2026-3357: IBM Langflow Desktop 1.6.0 through 1.8.2 Langflow could allow an authenticated user to execute arbitrary code on the sys
Summary
IBM Langflow Desktop versions 1.6.0 through 1.8.2 contain a vulnerability that allows an authenticated user (someone who has already logged in) to run arbitrary code on the system. The flaw stems from an insecure default setting that allows deserialization of untrusted data (converting data from an external source back into code without checking if it's safe) in the FAISS component (a component used for similarity searching).
Vulnerability Details
8.8(high)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
network
low
low
none
April 7, 2026
Classification
Affected Vendors
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-37052: Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-3357
First tracked: April 8, 2026 at 02:08 AM
Classified by LLM (prompt v3) · confidence: 85%