← Benteng/case studies
CVE-2026-7871OWASP A03 · Software Supply Chain FailuresCWE-502 Deserialization of Untrusted DataCVSS 9.8 Critical

Langflow — RCE via the Redis backend

Anyone who could reach Langflow's Redis got code execution through unsafe deserialization.

What happened

Self-hosted AI builders like Langflow store flow state in Redis. In 2026 a deserialization flaw meant that anyone who could reach that Redis instance — often left open on a default port with no auth — could get RCE on the Langflow host. AI infra is the new soft target: shipped fast, exposed by default, rarely hardened.

The code

✕ VulnerableAI infra
# Redis reachable with no auth, and pickled objects trusted from it
r = redis.Redis(host="0.0.0.0", port=6379)   # bound to the world
state = pickle.loads(r.get("flow:current"))   # pickle = arbitrary code
✓ FixedAI infra
# 1) Never expose Redis: bind 127.0.0.1, require AUTH, network-isolate.
# 2) Don't pickle untrusted data — use JSON with a schema.
r = redis.Redis(host="127.0.0.1", password=os.environ["REDIS_PW"])
state = json.loads(r.get("flow:current"))
→ Detect this class with AI infra CVEs (more, with the hardening checklist)

References

Educational case study. The "vulnerable" snippet is a minimal teaching example, not a working exploit. Benteng · a Palu Gada tool.