CVE-2026-3357 (GCVE-0-2026-3357)
Vulnerability from cvelistv5
Published
2026-04-08 00:19
Modified
2026-04-08 15:41
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-502 - Deserialization of Untrusted Data
Summary
IBM Langflow Desktop 1.6.0 through 1.8.2 Langflow could allow an authenticated user to execute arbitrary code on the system, caused by an insecure default setting which permits the deserialization of untrusted data in the FAISS component.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | Langflow Desktop |
Version: 1.6.0 ≤ 1.8.2 cpe:2.3:a:ibm:langflow_desktop:1.6.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:langflow_desktop:1.8.2:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3357",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-08T15:41:44.331099Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T15:41:55.112Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:langflow_desktop:1.6.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:langflow_desktop:1.8.2:*:*:*:*:*:*:*"
],
"product": "Langflow Desktop",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "1.8.2",
"status": "affected",
"version": "1.6.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This vulnerability was reported to IBM by Weblover."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Langflow Desktop 1.6.0 through 1.8.2 Langflow could allow an authenticated user to execute arbitrary code on the system, caused by an insecure default setting which permits the deserialization of untrusted data in the FAISS component.\u003c/p\u003e"
}
],
"value": "IBM Langflow Desktop 1.6.0 through 1.8.2 Langflow could allow an authenticated user to execute arbitrary code on the system, caused by an insecure default setting which permits the deserialization of untrusted data in the FAISS component."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T00:19:11.414Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7268428"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM recommends addressing the vulnerability now by upgrading to IBM Langflow Desktop 1.8.3 or newer\u0026nbsp;\u003ca href=\"https://www.langflow.org/blog/langflow-1-8-desktop\" rel=\"nofollow\"\u003ehttps://www.langflow.org/blog/langflow-1-8-desktop\u003c/a\u003e\u003c/p\u003e\u003cp\u003eIf you are already using Langflow Desktop, upgrade in the application to version 1.8.3\u003c/p\u003e\u003cp\u003eTo install Langflow Desktop for the first time, visit \u003ca href=\"https://langflow.org/desktop\" rel=\"nofollow\"\u003eDownload Langflow Desktop\u003c/a\u003e.\u003c/p\u003e"
}
],
"value": "IBM recommends addressing the vulnerability now by upgrading to IBM Langflow Desktop 1.8.3 or newer\u00a0 https://www.langflow.org/blog/langflow-1-8-desktop \n\nIf you are already using Langflow Desktop, upgrade in the application to version 1.8.3\n\nTo install Langflow Desktop for the first time, visit Download Langflow Desktop https://langflow.org/desktop ."
}
],
"title": "IBM Langflow Desktop FAISS Vector Store Remote Code Execution via malicious Pickle file",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2026-3357",
"datePublished": "2026-04-08T00:19:11.414Z",
"dateReserved": "2026-02-27T18:17:58.431Z",
"dateUpdated": "2026-04-08T15:41:55.112Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-3357\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-08T15:41:44.331099Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-08T15:41:50.528Z\"}}], \"cna\": {\"title\": \"IBM Langflow Desktop FAISS Vector Store Remote Code Execution via malicious Pickle file\", \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"This vulnerability was reported to IBM by Weblover.\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:ibm:langflow_desktop:1.6.0:*:*:*:*:*:*:*\", \"cpe:2.3:a:ibm:langflow_desktop:1.8.2:*:*:*:*:*:*:*\"], \"vendor\": \"IBM\", \"product\": \"Langflow Desktop\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.6.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"1.8.2\"}]}], \"solutions\": [{\"lang\": \"en\", \"value\": \"IBM recommends addressing the vulnerability now by upgrading to IBM Langflow Desktop 1.8.3 or newer\\u00a0 https://www.langflow.org/blog/langflow-1-8-desktop \\n\\nIf you are already using Langflow Desktop, upgrade in the application to version 1.8.3\\n\\nTo install Langflow Desktop for the first time, visit Download Langflow Desktop https://langflow.org/desktop .\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eIBM recommends addressing the vulnerability now by upgrading to IBM Langflow Desktop 1.8.3 or newer\u0026nbsp;\u003ca href=\\\"https://www.langflow.org/blog/langflow-1-8-desktop\\\" rel=\\\"nofollow\\\"\u003ehttps://www.langflow.org/blog/langflow-1-8-desktop\u003c/a\u003e\u003c/p\u003e\u003cp\u003eIf you are already using Langflow Desktop, upgrade in the application to version 1.8.3\u003c/p\u003e\u003cp\u003eTo install Langflow Desktop for the first time, visit \u003ca href=\\\"https://langflow.org/desktop\\\" rel=\\\"nofollow\\\"\u003eDownload Langflow Desktop\u003c/a\u003e.\u003c/p\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://www.ibm.com/support/pages/node/7268428\", \"tags\": [\"vendor-advisory\", \"patch\"]}], \"x_generator\": {\"engine\": \"ibm-cvegen\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"IBM Langflow Desktop 1.6.0 through 1.8.2 Langflow could allow an authenticated user to execute arbitrary code on the system, caused by an insecure default setting which permits the deserialization of untrusted data in the FAISS component.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eIBM Langflow Desktop 1.6.0 through 1.8.2 Langflow could allow an authenticated user to execute arbitrary code on the system, caused by an insecure default setting which permits the deserialization of untrusted data in the FAISS component.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"CWE-502 Deserialization of Untrusted Data\"}]}], \"providerMetadata\": {\"orgId\": \"9a959283-ebb5-44b6-b705-dcc2bbced522\", \"shortName\": \"ibm\", \"dateUpdated\": \"2026-04-08T00:19:11.414Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-3357\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-08T15:41:55.112Z\", \"dateReserved\": \"2026-02-27T18:17:58.431Z\", \"assignerOrgId\": \"9a959283-ebb5-44b6-b705-dcc2bbced522\", \"datePublished\": \"2026-04-08T00:19:11.414Z\", \"assignerShortName\": \"ibm\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…