PatchSiren cyber security CVE debrief
CVE-2026-8476 IBM CVE debrief
CVE-2026-8476: IBM Langflow OSS Remote Code Execution Vulnerability. The AsyncDiskCache class uses Python's unsafe pickle.loads() function to deserialize cached objects from disk without validation, integrity verification, or authentication. This vulnerability allows for arbitrary code execution when malicious pickle payloads are processed. Users of IBM Langflow OSS 1.0.0 through 1.10.0 are affected by this critical remote code execution vulnerability.
- Vendor
- IBM
- Product
- Langflow OSS
- CVSS
- CRITICAL 9.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
Users of IBM Langflow OSS 1.0.0 through 1.10.0 should apply patches or mitigations to prevent exploitation of this critical remote code execution vulnerability. Security teams and operators managing Langflow OSS deployments should review and validate affected scope, apply vendor guidance, and monitor for suspicious activity.
Technical summary
IBM Langflow OSS 1.0.0 through 1.10.0 contain a critical remote code execution vulnerability in the disk-based caching mechanism. The AsyncDiskCache class uses Python's unsafe pickle.loads() function to deserialize cached objects from disk without validation, integrity verification, or authentication, enabling arbitrary code execution when malicious pickle payloads are processed. Attackers who can influence cached data through file system access, malicious workflow inputs, custom components, or API manipulation can achieve complete system compromise with the privileges of the Langflow server process.
Defensive priority
High
Recommended defensive actions
- Apply patches or updates provided by IBM to fix the vulnerability
- Implement compensating controls to restrict access to cached data
- Monitor for suspicious activity related to cached objects
- Validate and verify the integrity of cached data
- Review and validate affected scope and vendor guidance
- Track exceptions and retest remediated assets
Evidence notes
The CVE record was published on 2026-07-17T20:17:30.623Z and has not been modified since then. The NVD entry is currently Received. Evidence is limited to CVE and NVD details. Defenders should verify Langflow OSS version usage and patch status.
Official resources
-
CVE-2026-8476 CVE record
CVE.org
-
CVE-2026-8476 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T20:17:30.623Z and has not been modified since then.