Cyber Resilience

CVE-2026-7871

CriticalRCE

Published: 30 June 2026

Published
30 June 2026
Modified
02 July 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0039 30.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-7871 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Langflow Langflow. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Python (T1059.006); ranked at the 30.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

IBM Langflow OSS 1.0.0 through 1.10.0 allows users with Redis access to execute arbitrary code with full application privileges, compromising all secrets, data, and system integrity.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

CWE-502 deserialization in Python-based Langflow directly enables arbitrary code execution (T1059.006) with full app privileges (T1068) for any Redis-access user.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-45852Shared CWE-502
CVE-2025-70559Shared CWE-502
CVE-2025-71354Shared CWE-502
CVE-2026-24157Shared CWE-502
CVE-2026-37552Shared CWE-502
CVE-2026-45484Shared CWE-502
CVE-2025-7433Shared CWE-502
CVE-2026-27749Shared CWE-502
CVE-2026-25551Shared CWE-502
CVE-2026-32184Shared CWE-502

Affected Assets

langflow
langflow
1.0.0 — 1.10.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-502

Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.

addresses: CWE-502

Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.

addresses: CWE-502

Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.

addresses: CWE-502

Validates or rejects untrusted serialized data before deserialization occurs.

addresses: CWE-502

Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries.

addresses: CWE-502

Integrity verification of serialized information can detect tampering before deserialization occurs.

addresses: CWE-502

Provenance of associated data allows detection of untrusted sources before deserialization or processing occurs.

References