CVE-2026-6543 (CVSS 8.8, High severity) affects IBM Langflow Desktop versions 1.0.0 through 1.8.4, published April 30, 2026.
The vulnerability allows an attacker with low-privilege access to execute arbitrary OS commands with the privileges of the Langflow process — no user interaction required.
Langflow is an IBM-acquired, open-source low-code platform for building RAG pipelines and multi-agent AI applications. It manages connections to LLM providers, vector databases, document stores, and agent toolchains.
Successful exploitation enables reading sensitive environment variables (model API keys, database credentials), modifying AI workflow files, and launching further attacks on the internal network from the Langflow host.
This follows a pattern of active exploitation of Langflow vulnerabilities: CrowdStrike observed multiple threat actors exploiting an earlier unauthenticated RCE (CVE-2025-34291) in Langflow AI for cryptomining and data theft.
Why it matters
Langflow is a production tool for building AI agent workflows — an RCE here gives an attacker direct access to model API keys, agent configurations, vector databases, and the documents feeding RAG pipelines.
Compromised Langflow instances could be used to poison AI agent behaviors: modify prompt templates, swap model endpoints, or inject malicious tool definitions into agent workflows.
The low privilege requirement and no user interaction make this highly exploitable in any environment where Langflow Desktop is deployed on a shared or network-accessible machine.
Langflow's history of active exploitation means threat actors are already targeting this platform — a new CVE raises the urgency significantly.
What to do
Update Langflow Desktop to a patched version (beyond 1.8.4) as soon as a fix is published by IBM.
Restrict network access to Langflow Desktop instances — ensure they are not exposed to untrusted networks.
Review model API keys, database credentials, and agent configurations stored in Langflow environments for signs of unauthorized access.
If running Langflow in production, apply defense-in-depth: run as a dedicated low-privilege user, enforce network segmentation, and monitor for unexpected outbound connections from the Langflow host.