CVE-2026-7874
CriticalCVSS 9.1Exploitation Probability (EPSS)
Low risk6th percentile — higher than 6% of all known CVEs
Summary
IBM Langflow OSS versions 1.0.0 through 1.10.0 contain a vulnerability that could disclose all stored credentials. The issue is due to the use of a weak and reversible key derivation mechanism for encryption at rest.
Risk Assessment
An attacker can read all encrypted credentials (e.g., passwords, API tokens), leading to full compromise of credential confidentiality and potential unauthorized access to systems.
Recommendation
Immediately upgrade IBM Langflow OSS to a version later than 1.10.0 that uses a secure key derivation mechanism. Until the update, restrict system access and monitor logs for unauthorized data read attempts.
Original NVD description (English source)
IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow disclosure of all stored credentials due to the use of a weak and reversible key derivation mechanism for encryption at rest.

