Cyber Resilience

CVE-2026-7874

Critical

Published: 30 June 2026

Published
30 June 2026
Modified
02 July 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0016 6.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-7874 is a critical-severity PRNG (CWE-338) vulnerability in Langflow Langflow. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 6.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow disclosure of all stored credentials due to the use of a weak and reversible key derivation mechanism for encryption at rest.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Weak reversible encryption at rest directly enables access to stored credentials in application files.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-11347Shared CWE-338
CVE-2025-15618Shared CWE-338
CVE-2022-26943Shared CWE-338
CVE-2026-9638Shared CWE-338
CVE-2023-36993Shared CWE-338
CVE-2002-20002Shared CWE-338
CVE-2024-25389Shared CWE-338
CVE-2022-20817Shared CWE-338
CVE-2022-29245Shared CWE-338
CVE-2025-66630Shared CWE-338

Affected Assets

langflow
langflow
1.0.0 — 1.10.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-338

Security associations share details on cryptographically weak PRNGs, helping avoid their implementation in security-critical functions.

addresses: CWE-338

Cryptographic key management standards require cryptographically strong PRNGs for key material, blocking use of weak generators.

Hardening callouts derived

Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).

Oracle Linux 8 (1 rule)
  • V-248563 The OL 8 SSH server must be configured to use strong entropy. via CWE-338
RHEL 8 (1 rule)
  • V-230253 RHEL 8 must ensure the SSH server uses strong entropy. via CWE-338
Ubuntu 22.04 (1 rule)
  • V-260650 Ubuntu 22.04 LTS must implement NIST FIPS-validated cryptography to protect classified information and for the following: To provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. via CWE-338

References