CVE-2026-7874 - Vulnerability Details

Description

IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow disclosure of all stored credentials due to the use of a weak and reversible key derivation mechanism for encryption at rest.

Published: 2026-06-30

Score: 9.1 Critical

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

IBM Langflow OSS versions 1.0.0 through 1.10.0 employ a weak, reversible key derivation mechanism for encrypting stored credentials. The weakness allows an attacker who can obtain or compute the derivation key to recover all encrypted credentials, exposing user names, passwords, and API tokens and enabling complete compromise of accounts.

Affected Systems

IBM Langflow OSS, versions 1.0.0 to 1.10.0 inclusive.

Risk and Exploitability

The CVSS score of 9.1 signals a critical severity. EPSS data is not provided, and the vulnerability is not listed in the CISA KEV catalog, indicating no known widespread exploitation yet. The issue is exploitable by anyone with read access to the application’s data files or who can run code in the same environment, since the reversible key derivation permits derivation of the encryption key and subsequent decryption of all stored credentials.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

IBM

Langflow OSS

affected

Version	Status	Constraints
`1.0.0`	affected	≤ 1.10.0

No data.

No data available yet.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by upgrading Langflow OSS to version 1.10.1

OpenCVE Recommended Actions

Upgrade IBM Langflow OSS to version 1.10.1 as recommended by IBM.
After upgrading, re‑encrypt all stored credentials using the new, secure key derivation mechanism.
Rotate compromised credentials and enforce strong password or token policies to mitigate potential abuse of exposed data.

Generated by OpenCVE AI on June 30, 2026 at 20:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://www.ibm.com/support/pages/node/7278447

History

Tue, 30 Jun 2026 20:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 30 Jun 2026 19:30:00 +0000

Type	Values Removed	Values Added
Description		IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow disclosure of all stored credentials due to the use of a weak and reversible key derivation mechanism for encryption at rest.
Title		Weak Cryptographic Key Derivation Exposed All Stored Credentials
First Time appeared		Ibm Ibm langflow Oss
Weaknesses		CWE-338
CPEs		cpe:2.3:a:ibm:langflow_oss:1.0.0:::::::* cpe:2.3:a:ibm:langflow_oss:1.10.0:::::::*
Vendors & Products		Ibm Ibm langflow Oss
References		https://www.ibm.com/support/pages/node/7278447
Metrics		cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}`

Subscriptions

Ibm Langflow Oss

MITRE

Status: PUBLISHED

Assigner: ibm

Published: 2026-06-30T19:11:43.653Z

Updated: 2026-06-30T19:40:24.121Z

Reserved: 2026-05-05T14:23:39.800Z

Link: CVE-2026-7874

Vulnrichment

Updated: 2026-06-30T19:39:31.080Z

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-30T20:30:04Z

Weaknesses

CWE-338
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-7874", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "state": "PUBLISHED", "assignerShortName": "ibm", "dateReserved": "2026-05-05T14:23:39.800Z", "datePublished": "2026-06-30T19:11:43.653Z", "dateUpdated": "2026-06-30T19:40:24.121Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2026-06-30T19:11:43.653Z"}, "title": "Weak Cryptographic Key Derivation Exposed All Stored Credentials", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-338", "description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)", "type": "CWE"}]}], "affected": [{"vendor": "IBM", "product": "Langflow OSS", "versions": [{"status": "affected", "version": "1.0.0", "lessThanOrEqual": "1.10.0", "versionType": "semver"}], "cpes": ["cpe:2.3:a:ibm:langflow_oss:1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:langflow_oss:1.10.0:*:*:*:*:*:*:*"]}], "descriptions": [{"lang": "en", "value": "IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow disclosure of all stored credentials due to the use of a weak and reversible key derivation mechanism for encryption at rest.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow disclosure of all stored credentials due to the use of a weak and reversible key derivation mechanism for encryption at rest."}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7278447", "tags": ["vendor-advisory", "patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseSeverity": "CRITICAL", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}}], "solutions": [{"lang": "en", "value": "IBM strongly recommends addressing the vulnerability now by upgrading Langflow OSS to version 1.10.1", "supportingMedia": [{"type": "text/html", "base64": false, "value": "IBM strongly recommends addressing the vulnerability now by upgrading <a href=\"https://pypi.org/project/langflow/\" rel=\"nofollow\">Langflow OSS to version 1.10.1</a>"}]}], "credits": [{"lang": "en", "value": "Akshat Sinha (akshatgit) akshat14132@iiitd.ac.in https://github.com/akshatgit, (Kolega.dev ) kolega-ai-dev https://kolega.dev/, Christopher Lusk (north-echo) www.northecho.dev", "type": "finder"}], "x_generator": {"engine": "ibm-cvegen"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-30T19:39:22.263541Z", "id": "CVE-2026-7874", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-30T19:40:24.121Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-7874", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "state": "PUBLISHED", "assignerShortName": "ibm", "dateReserved": "2026-05-05T14:23:39.800Z", "datePublished": "2026-06-30T19:11:43.653Z", "dateUpdated": "2026-06-30T19:40:24.121Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2026-06-30T19:11:43.653Z"}, "title": "Weak Cryptographic Key Derivation Exposed All Stored Credentials", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-338", "description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)", "type": "CWE"}]}], "affected": [{"vendor": "IBM", "product": "Langflow OSS", "versions": [{"status": "affected", "version": "1.0.0", "lessThanOrEqual": "1.10.0", "versionType": "semver"}], "cpes": ["cpe:2.3:a:ibm:langflow_oss:1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:langflow_oss:1.10.0:*:*:*:*:*:*:*"]}], "descriptions": [{"lang": "en", "value": "IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow disclosure of all stored credentials due to the use of a weak and reversible key derivation mechanism for encryption at rest.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow disclosure of all stored credentials due to the use of a weak and reversible key derivation mechanism for encryption at rest."}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7278447", "tags": ["vendor-advisory", "patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseSeverity": "CRITICAL", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}}], "solutions": [{"lang": "en", "value": "IBM strongly recommends addressing the vulnerability now by upgrading Langflow OSS to version 1.10.1", "supportingMedia": [{"type": "text/html", "base64": false, "value": "IBM strongly recommends addressing the vulnerability now by upgrading <a href=\"https://pypi.org/project/langflow/\" rel=\"nofollow\">Langflow OSS to version 1.10.1</a>"}]}], "credits": [{"lang": "en", "value": "Akshat Sinha (akshatgit) akshat14132@iiitd.ac.in https://github.com/akshatgit, (Kolega.dev ) kolega-ai-dev https://kolega.dev/, Christopher Lusk (north-echo) www.northecho.dev", "type": "finder"}], "x_generator": {"engine": "ibm-cvegen"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-7874", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-06-30T19:39:22.263541Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-30T19:39:31.080Z"}}]}}

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object