CVE Catalog

CVE-2026-7874

CriticalCVSS 9.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.16%

6th percentile — higher than 6% of all known CVEs

Summary

IBM Langflow OSS versions 1.0.0 through 1.10.0 contain a vulnerability that could disclose all stored credentials. The issue is due to the use of a weak and reversible key derivation mechanism for encryption at rest.

Risk Assessment

An attacker can read all encrypted credentials (e.g., passwords, API tokens), leading to full compromise of credential confidentiality and potential unauthorized access to systems.

Recommendation

Immediately upgrade IBM Langflow OSS to a version later than 1.10.0 that uses a secure key derivation mechanism. Until the update, restrict system access and monitor logs for unauthorized data read attempts.

Original NVD description (English source)

IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow disclosure of all stored credentials due to the use of a weak and reversible key derivation mechanism for encryption at rest.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS