Critical Langflow Flaw CVE-2026-7524: TAR Symlinks Leak JWT Secret, Chain to RCE
IBM disclosed CVE-2026-7524 (CVSS 9.8) in Langflow OSS on May 27, 2026. Versions 1.0.0 through 1.9.1 are vulnerable: a crafted tar with symlinks can steal the JWT secret, forge tokens, then chain to RCE via Python Interpreter nodes. Update to v1.9.2 or later immediately.
Makoto Horikawa
Backend Engineer / AWS / Django
IBM disclosed CVE-2026-7524 (CVSS 9.8) in Langflow OSS on May 27, 2026. Versions 1.0.0 through 1.9.1 are vulnerable: a crafted tar with symlinks can steal the JWT secret, forge tokens, then chain to RCE via Python Interpreter nodes. Update to v1.9.2 or later immediately.
On May 27, 2026, IBM disclosed in a security bulletin that the OSS edition of Langflow, the popular no-code tool for assembling AI applications, contains a critical (CVSS 9.8) vulnerability tracked as CVE-2026-7524. Every release from v1.0.0 through v1.9.1 is affected, with the fix landing in v1.9.2.
The attack enters through the file upload feature of internally hosted AI chatbots. Simply uploading a crafted .tar archive lets an attacker read the JWT secret, impersonate an administrator, and ultimately chain to arbitrary code execution through the Python Interpreter node. For companies running RAG (internal knowledge-search AI) systems open to users, the very feature that lets users drop in files has become a direct path to RCE.
Langflow has already had a string of major RCE bugs since 2025, including CVE-2026-33017 (weaponized by the Flodrix botnet within 20 hours of disclosure) and CVE-2025-3248 (unauthenticated RCE in validate_code). This marks the fourth critical-severity disclosure in the same product.
What Langflow Is
Langflow is a no-code tool that lets users build AI agents and chatbots by dragging and connecting blocks on a canvas. It calls out to AI providers such as OpenAI and Anthropic, and its selling point is the ability to assemble internal document search (RAG), automated email replies, and business process automation without writing any code.
After IBM acquired Langflow's operator DataStax in 2024, the product split into the enterprise "Langflow Desktop" and the free "Langflow OSS," both officially supported by IBM. The project has racked up more than 70,000 GitHub stars and has been widely adopted by U.S. startups as a foundation for internal AI development.
In Japan as well, more companies are deploying Langflow for building internal FAQ bots or for ingesting PDFs and CSVs into question-answering systems. The problem is that the very "RAG knowledge ingestion" feature that lets users upload files is precisely the entry point exploited by this attack.
Inside CVE-2026-7524
The vulnerability lives in Langflow OSS's _unpack_bundle function. The NVD classification is CWE-22 (path traversal). The root cause is straightforward: an attacker plants a symbolic link (a file shortcut) pointing somewhere else on the OS inside a .tar archive, and when Langflow extracts it, the destination of the link is never validated, so the real target file is read as-is.
| Item | Details |
|---|---|
| CVE ID | CVE-2026-7524 |
| CVSS v3.1 Score | 9.8 (Critical) |
| CVSS Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Vulnerability Type | CWE-22 Path Traversal |
| Vulnerable Function | _unpack_bundle(tar extraction routine) |
| Affected Versions | Langflow OSS v1.0.0 – v1.9.1 |
| Fixed Version | v1.9.2 and later |
| Affected OS | macOS / Windows / Linux |
| Disclosure Date | May 27, 2026 |
| Authentication Required | No (PR:N) |
| Attack Vector | Network (AV:N) |
| CISA KEV Listing | Not listed (as of May 27, 2026) |
The heaviest weight in the CVSS vector is "PR:N" (no prior authentication). The attacker does not need any account on Langflow at all; as long as the file upload feature is exposed externally, it is within reach. Companies that opened their internal RAG bot to external users "because it was convenient" will find this is fatal.
Why Uploading a Single tar File Is Enough to Reach RCE
What makes CVE-2026-7524 frightening is that it does not stop at path traversal. The attack chain is assembled as follows.
| Step | Attacker Action | What Happens Inside Langflow |
|---|---|---|
| 1 | Craft a malicious tar | Plant a symlink pointing to JWT_SECRET and similar files |
| 2 | Submit it via the RAG document upload UI | _unpack_bundlefollows the link as-is |
| 3 | Query the extracted content via chat | The linked JWT secret is stored in the vector DB |
| 4 | Forge an admin JWT using the secret | Impersonated login succeeds |
| 5 | Invoke the Python Interpreter node | Arbitrary code runs on the server |
The core of the attack is the seam between steps 3 and 4. Langflow drops uploaded files into a RAG-purpose vector database (a system that makes documents searchable for question answering). The attacker simply asks something like "tell me what's in this config file," and the vector DB hands back the contents of the JWT secret verbatim — behavior that should never happen.
A JWT (JSON Web Token) is a short piece of cryptographically signed text that proves "who the user is." The moment the secret key leaks, an attacker can freely forge an admin JWT on their own machine. Langflow accepts that forged token as valid, the admin console is opened, and finally the "node that runs Python code directly" is invoked, granting the attacker a foothold on the server.
The same pattern — vulnerabilities in tar extraction via symlinks — has surfaced repeatedly in projects such as node-tar and tar-rs, making it a classic pitfall for any OSS that handles archive extraction. Because Langflow sits in the path where AI-related documents are uploaded daily, the blast radius is much larger than other tar-related CVEs.
Langflow Has Been a Repeated Target
This is not the first serious flaw in Langflow. By design, an AI agent-building tool has to treat "user input as code or configuration" in many places, and the past year alone has produced a steady drumbeat of critical CVEs.
| CVE ID | CVSS | Issue | Exploitation Status |
|---|---|---|---|
| CVE-2025-3248 | 9.8 | Unauthenticated RCE in validate_code | Listed in CISA KEV |
| CVE-2026-33017 | 9.8 | RCE in the public flow build endpoint | Adopted by the Flodrix botnet within 20 hours |
| CVE-2026-6543 | 9.8 | Command injection in Langflow Desktop | PoC public |
| CVE-2026-42048 | 8.8 | Path traversal in the Knowledge Bases API | Disclosed |
| CVE-2026-7524 (this) | 9.8 | Tar symlink validation gap → JWT leak → RCE | Disclosed May 27, 2026 |
CVE-2026-33017 in particular shocked the AI application industry when it was incorporated into the Flodrix botnet just 20 hours after disclosure and used as a foothold to maintain access inside corporate networks. JFrog's research later revealed that the version 1.8.2 that IBM had labeled as "fixed" was still exploitable in practice, hardening the perception among operators that "Langflow patches tend to be quickly followed by yet another issue."
CVE-2026-7524 sits squarely in that lineage. Unlike CVE-2026-33017, which only affected installations exposing the flow build endpoint, this issue applies to "every Langflow OSS server that has file upload open for RAG use" — so the impact is actually broader.
What To Do Now
Remediation should proceed in the following order.
1. Upgrade Langflow OSS to v1.9.2 or later. If you run it via Docker, switch to the langflowai/langflow:1.9.2 tag or later. The GitHub releases page hosts container images and Python wheels for each version. For pip installs, run pip install --upgrade "langflow>=1.9.2".
2. If you cannot upgrade right away, temporarily disable file upload. In particular, if RAG-related "Knowledge Base" or "File Upload" components are exposed to external users, move them behind an authenticated route or apply IP access restrictions. Even just opening the Langflow admin UI, editing the flow, and disabling those nodes is enough to close the attack entry point.
3. Rotate the JWT secret immediately. Even after upgrading, if you have already been attacked the secret may already be in the wrong hands. Replace the LANGFLOW_SECRET_KEY environment variable with a new value and force every user to log out.
4. Audit how Python Interpreter / Code Execution nodes are being used. These are the nodes used in the final step of the attack chain. Check whether they remain enabled inside flows you don't actively use, and remove them if they are unnecessary.
5. Review access logs going back at least 30 days. Look for suspicious bursts of traffic against file upload endpoints such as /api/v1/files/upload, particularly the upload history of .tar files. A successful attack is typically followed shortly afterward by chat queries asking about the contents of the uploaded file — if you see that combination, treat it as a likely compromise.
Why This Class of Bug Keeps Appearing in AI Tools
It is not just Langflow. Between 2025 and 2026, AI-adjacent OSS projects such as LiteLLM, GlassWorm (npm supply chain), and Trivy have produced a string of critical vulnerabilities. Three structural causes recur.
First, AI applications handle a vastly larger surface of untrusted input than traditional web apps: natural language input from users, files uploaded by users, responses from external APIs, and so on. The tar extraction in this case was supposed to be a convenience for ingesting internal documents, but it turned into an attack surface.
Second, AI agent tools market themselves on the promise of "do anything without writing code," so highly privileged components like Python execution nodes ship as standard. They are useful features in their own right, but the moment they combine with an authentication bypass they become the final puzzle piece for RCE.
Third, OSS projects that grew rapidly on the AI wave cannot keep their security review pace in line with their feature delivery pace. Langflow's run of CVEs reflects less a lack of effort from the dev team and more the broader reality that the AI industry has moved into production while still operating in "make it work first" mode.
Bugs of this kind cannot be detected without continuously scanning the dependency tree of every OSS library in use. Not only Langflow itself, but the tar extraction library and the authentication library it depends on internally may carry the same hole. For supply-chain checks, our OSS Supply Chain Scanner lets you review the current CVE status of the packages you actually use, all in one place.
CISA KEV Status
As of May 27, 2026, CVE-2026-7524 is not yet listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. That said, given that the earlier Langflow flaw CVE-2025-3248 was added to KEV not long after disclosure and that CVE-2026-33017 saw real-world exploitation within 20 hours, it is entirely plausible that CVE-2026-7524 will be added to KEV in the near future.
We continuously update the list of actively exploited CVEs — including those affecting Langflow — and the official remediation deadlines on our CISA KEV Dashboard. When the listing happens, you can immediately check the impact and deadlines that apply to Japanese organizations.
References
- ▸ NVD - CVE-2026-7524 Detail (published May 27, 2026)
- ▸ IBM Security Bulletin - Path Traversal Vulnerability in File Processing Components (IBM official advisory)
- ▸ CVE.org - CVE-2026-7524 Record
- ▸ Sysdig - CVE-2026-33017: How attackers compromised Langflow AI pipelines in 20 hours
- ▸ JFrog Security Research - Langflow CVE-2026-33017: Latest 'fixed' version is still exploitable
- ▸ Trend Micro - Critical Langflow Vulnerability (CVE-2025-3248) Actively Exploited to Deliver Flodrix Botnet
- ▸ runZero - Langflow Flodrix vulnerability CVE-2026–33017: Find impacted assets
- ▸ GitHub - langflow-ai/langflow Releases
- ▸ Langflow Documentation - Security
- ▸ CISA - Known Exploited Vulnerabilities Catalog