CVE-2026-7524: IBM Langflow OSS 1.0.0 through 1.9.1 could allow remote code execution due to improper validation of symbolic links duri
criticalvulnerability
security
Summary
IBM Langflow OSS (open-source software) versions 1.0.0 through 1.9.1 has a vulnerability that could allow remote code execution (running malicious code on a system from a distance) because it doesn't properly validate symbolic links (shortcuts that point to files) when extracting archive files. This is a path traversal (CWE-22) weakness, meaning an attacker could potentially access or execute files outside the intended directory.
Vulnerability Details
CVSS Score
9.8(critical)
EPSS (30-day exploit probability)
EPSS: 0.0%
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
network
Attack Complexity
low
Privileges Required
none
User Interaction
none
Disclosure Date
May 27, 2026
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
integrityavailability
Taxonomy References
Affected Vendors
LangChain
Related Issues
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-7524
First tracked: May 27, 2026 at 02:08 PM
Classified by LLM (prompt v3) · confidence: 92%