CVE-2026-7873 PUBLISHED

Code Injection Vulnerability in Code Validation Endpoint

Assigner: ibm
Reserved: 05.05.2026 Published: 30.06.2026 Updated: 01.07.2026

IBM Langflow OSS 1.0.0 through 1.10.0 allows authenticated attackers to execute arbitrary OS commands and read sensitive files including credentials, enabling complete system compromise and lateral movement.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 9.9

Product Status

Vendor IBM
Product Langflow OSS
Versions
  • affected from 1.0.0 to 1.10.0 (incl.)

Solutions

IBM strongly recommends addressing the vulnerability now by upgrading Langflow OSS to version 1.10.1 https://pypi.org/project/langflow/

References

Problem Types

  • CWE-94 Improper Control of Generation of Code ('Code Injection') CWE