IBM Langflow Desktop 1.0.01.8.4 CMD Exec Vulnerability
CVE-2026-6543 Published on April 30, 2026
Authenticated Remote Code Execution Vulnerability in Langflow Code Validation Endpoint
IBM Langflow Desktop 1.0.0 through 1.8.4 Langflow allows an attacker to execute arbitrary commands with the privileges of the process running Langflow. This allows reading sensitive environment variables (API keys, DB credentials), modifying files, or launching further attacks on the internal network.
Vulnerability Analysis
CVE-2026-6543 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
What is a Code Injection Vulnerability?
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CVE-2026-6543 has been classified to as a Code Injection vulnerability or weakness.
Products Associated with CVE-2026-6543
Want to know whenever a new CVE is published for IBM Langflow Desktop? stack.watch will email you.
Affected Versions
IBM Langflow Desktop:- Version 1.0.0, <= 1.8.4 is affected.