IBM Langflow CVE-2026-7524 — Unauthenticated RCE via Symlink Archive Abuse

AI relevance: Langflow is a widely deployed low-code orchestration platform for LLM pipelines — an unauthenticated RCE in its project import feature gives attackers direct control over the environment that manages model API keys, agent workflows, and vector database connections.

• CVE-2026-7524 (CVSS 9.8) affects IBM Langflow open-source versions 1.0.0 through 1.9.1. The flaw sits in archive extraction, where symbolic links in uploaded project archives are not validated before being written to disk.
• An attacker can craft a ZIP or TAR archive containing a symlink pointing outside the extraction directory (classic symlink traversal), writing arbitrary files to the host filesystem with the permissions of the Langflow process.
• Combined with Langflow's architecture — it stores LLM provider API keys, agent configs, and tool definitions in the same filesystem — a successful exploit grants access to the full AI supply chain for that instance.
• A public exploit is already available on Exploit-DB, automating the full chain from symlink upload to remote command execution.
• Multiple security agencies, including Singapore's CSA, have issued alerts noting that active exploitation has been observed in the wild against unpatched instances.
• Langflow is the upstream for many enterprise AI orchestration deployments — the blast radius includes any organization running the low-code platform with internet-facing access.
• This mirrors the pattern seen in other AI platform RCEs this month (Flowise CVE-2026-40933, Marimo CVE-2026-39987): the AI tooling ecosystem is under active, opportunistic exploitation.

Why it matters

Langflow instances routinely hold credentials for OpenAI, Anthropic, Azure, and other model providers. An RCE here doesn't just compromise a single application — it compromises the AI agent supply chain for that organization. With a public exploit available, unpatched internet-facing instances are likely to be hit quickly.

What to do

• Upgrade to Langflow ≥ 1.9.2 immediately (or latest available).
• If running a version in the affected range, restrict network access to the Langflow UI/API — it should never be internet-facing without authentication and network segmentation.
• Rotate all model API keys and credentials stored in affected instances as a precaution.
• Monitor for suspicious file writes outside the Langflow project directory (symlink indicators).

Sources

• Threat-Modeling.com — Vulnerability Intelligence Report (May 28, 2026)
• CSA Singapore — Critical Vulnerability in Langflow
• Exploit-DB — CVE-2026-0770 Langflow RCE PoC
• Sysdig — Security Briefing May 2026 (Langflow exploitation chain)