Description
IBM Langflow OSS 1.0.0 through 1.9.0 could allow a denial of service due to uncontrolled resource consumption.
Published: 2026-05-27
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated file‑upload flaw that permits an attacker to upload files without authentication, causing uncontrolled disk space consumption and path disclosure. The primary impact is a denial of service through disk exhaustion, while the disclosure of file system paths may aid attackers in locating additional targets or sensitive files. This weakness is classified as CWE‑400, uncontrolled resource consumption.

Affected Systems

All releases of IBM Langflow OSS from version 1.0.0 up to and including 1.9.0 are affected. The vulnerability applies to the file‑upload feature present in those releases, regardless of the specific runtime environment used.

Risk and Exploitability

The CVSS score of 7.1 indicates a high‑moderate risk. EPSS is not available and the flaw is not listed in the CISA KEV catalog. The attack vector is inferred to be remote, given the unauthenticated nature of the file upload endpoint. An attacker can repeatedly or massively upload files to exhaust disk space, thereby disrupting service availability. No special privileges are required beyond the ability to reach the upload interface.

Generated by OpenCVE AI on May 27, 2026 at 20:00 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by upgrading Langflow OSS to version 1.9.2.

OpenCVE Recommended Actions

  • Apply IBM Langflow OSS 1.9.2 or later to remove the file‑upload flaw.
  • Restrict file uploads to authenticated users and enforce a strict size limit on uploaded files to prevent resource exhaustion.
  • Configure the hosting environment to monitor disk usage and trigger alerts when disk space consumption approaches critical thresholds.

Generated by OpenCVE AI on May 27, 2026 at 20:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description IBM Langflow OSS 1.0.0 through 1.9.0 could allow a denial of service due to uncontrolled resource consumption.
Title Unauthenticated File Upload Vulnerability Allows Disk Space Exhaustion and Path Disclosure in Langflow OSS
First Time appeared Ibm
Ibm langflow Oss
Weaknesses CWE-400
CPEs cpe:2.3:a:ibm:langflow_oss:1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:langflow_oss:1.9.0:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm langflow Oss
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H'}

Subscriptions

Ibm Langflow Oss
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-05-27T15:30:41.605Z

Reserved: 2026-04-30T17:42:20.909Z

Link: CVE-2026-7528

cve-icon Vulnrichment

Updated: 2026-05-27T15:30:38.227Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:35.583

Modified: 2026-05-27T14:53:51.833

Link: CVE-2026-7528

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T01:15:03Z

Weaknesses