Summary
CVE-2026-7872 is a path traversal vulnerability (CWE-22) in IBM Langflow OSS versions 1.0.0 through 1.10.0, rated High (CVSS 7.5). By uploading a specially crafted tar archive, an attacker can read arbitrary files from the server — including the application’s JWT signing key — enabling complete authentication bypass through forged tokens for any user, including administrators. IBM has released version 1.10.1 to remediate the flaw.
Technical details
- Root cause: A timing flaw in the symbolic link validation logic within the file component’s tar archive extraction. The application performs lexical resolution of symbolic link members before writing them to disk, allowing validation to pass while the subsequent extraction creates symlinks that point outside the intended directory (CWE-22: Improper Limitation of a Pathname to a Restricted Directory).
- Trigger conditions: An attacker uploads a specially crafted tar archive containing embedded symbolic links targeting arbitrary paths on the server — for example, the application’s JWT secret key file.
- Attack vector: Network-delivered over HTTP/HTTPS to the Langflow file upload endpoint. The CVSS vector records no required privileges and no user interaction; in practice, the authentication barrier is low given Langflow’s documented default configuration of
AUTO_LOGINenabled. - Impact: Successful exploitation grants read access to any file accessible to the application process. Extracting the JWT signing key allows forging valid authentication tokens for any user, including administrators, constituting a full authentication bypass. In Langflow’s architecture, administrative access further enables downstream remote code execution via Python code execution nodes.
Affected software
- IBM Langflow OSS versions 1.0.0 through 1.10.0
Severity
CVSS v3.1 Base Score: 7.5 (High)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Mitigation and recommended actions
- Immediate: Upgrade to Langflow OSS 1.10.1 or later, available via PyPI.
- If immediate patching is not possible: Restrict network access to file upload endpoints at the firewall or reverse-proxy level, and rotate the application’s
secret_keyif filesystem exposure is suspected. IBM has not published an alternative workaround.
IONIX Status
The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

