CVE-2026-7871OWASP A03 · Software Supply Chain FailuresCWE-502 Deserialization of Untrusted DataCVSS 9.8 Critical
Langflow — RCE via the Redis backend
Anyone who could reach Langflow's Redis got code execution through unsafe deserialization.
What happened
Self-hosted AI builders like Langflow store flow state in Redis. In 2026 a deserialization flaw meant that anyone who could reach that Redis instance — often left open on a default port with no auth — could get RCE on the Langflow host. AI infra is the new soft target: shipped fast, exposed by default, rarely hardened.
The code
✕ Vulnerable — AI infra
# Redis reachable with no auth, and pickled objects trusted from it
r = redis.Redis(host="0.0.0.0", port=6379) # bound to the world
state = pickle.loads(r.get("flow:current")) # pickle = arbitrary code✓ Fixed — AI infra
# 1) Never expose Redis: bind 127.0.0.1, require AUTH, network-isolate.
# 2) Don't pickle untrusted data — use JSON with a schema.
r = redis.Redis(host="127.0.0.1", password=os.environ["REDIS_PW"])
state = json.loads(r.get("flow:current"))References
Educational case study. The "vulnerable" snippet is a minimal teaching example, not a working exploit. Benteng · a Palu Gada tool.