CVE-2026-7874
Published: 30 June 2026
Summary
CVE-2026-7874 is a critical-severity PRNG (CWE-338) vulnerability in Langflow Langflow. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 6.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-40380
Vulnerability details
IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow disclosure of all stored credentials due to the use of a weak and reversible key derivation mechanism for encryption at rest.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Weak reversible encryption at rest directly enables access to stored credentials in application files.
CVEs Like This One
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Security associations share details on cryptographically weak PRNGs, helping avoid their implementation in security-critical functions.
Cryptographic key management standards require cryptographically strong PRNGs for key material, blocking use of weak generators.
Hardening callouts derived
Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).
Oracle Linux 8 (1 rule)
- V-248563 The OL 8 SSH server must be configured to use strong entropy. via CWE-338
RHEL 8 (1 rule)
- V-230253 RHEL 8 must ensure the SSH server uses strong entropy. via CWE-338
Ubuntu 22.04 (1 rule)
- V-260650 Ubuntu 22.04 LTS must implement NIST FIPS-validated cryptography to protect classified information and for the following: To provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. via CWE-338