Cyber Resilience

CVE-2026-7524

Critical

Published: 27 May 2026

Published
27 May 2026
Modified
02 June 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0062 45.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-7524 is a critical-severity Path Traversal (CWE-22) vulnerability in Langflow Langflow. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

IBM Langflow OSS 1.0.0 through 1.9.1 could allow remote code execution due to improper validation of symbolic links during archive extraction.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: langflow

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Path traversal via malicious archive extraction directly enables remote exploitation of the public-facing Langflow application for code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42048Same product: Langflow Langflow
CVE-2026-33497Same product: Langflow Langflow
CVE-2026-21445Same product: Langflow Langflow
CVE-2026-33309Same product: Langflow Langflow
CVE-2026-33017Same product: Langflow Langflow
CVE-2026-0770Same product: Langflow Langflow
CVE-2026-33484Same product: Langflow Langflow
CVE-2026-33873Same product: Langflow Langflow
CVE-2026-27966Same product: Langflow Langflow
CVE-2025-34291Same product: Langflow Langflow

Affected Assets

langflow
langflow
1.0.0 — 1.9.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References