CVE-2026-7528 PUBLISHED

Unauthenticated File Upload Vulnerability Allows Disk Space Exhaustion and Path Disclosure in Langflow OSS

Assigner: ibm
Reserved: 30.04.2026 Published: 27.05.2026 Updated: 27.05.2026

IBM Langflow OSS 1.0.0 through 1.9.0 could allow a denial of service due to uncontrolled resource consumption.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
CVSS Score: 7.1

Product Status

Vendor IBM
Product Langflow OSS
Versions
  • affected from 1.0.0 to 1.9.0 (incl.)

Solutions

IBM strongly recommends addressing the vulnerability now by upgrading Langflow OSS to version 1.9.2.

Credits

  • This vulnerability was reported to IBM by Ori Lahav (Rubrik Inc.) orilahav@tauex.tau.ac.il. finder

References

Problem Types

  • CWE-400 Uncontrolled Resource Consumption CWE