CVE-2026-3357
IBM Langflow Desktop FAISS Vector Store Remote Code Execution via malicious Pickle file
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 8.8EPSS 0.5%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado
Lifecycle
08 Apr 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
IBM Langflow Desktop 1.6.0 through 1.8.2 Langflow could allow an authenticated user to execute arbitrary code on the system, caused by an insecure default setting which permits the deserialization of untrusted data in the FAISS component.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products
IBM · Langflow Desktop