What happened
IBM's security bulletin (dated 2026-06-29) confirms that Langflow's credential encryption used Python's Mersenne Twister PRNG — a non-cryptographic PRNG — seeded with SECRET_KEY to derive Fernet symmetric keys for at-rest credential encryption. This allows any attacker who obtains SECRET_KEY to decrypt every stored credential offline without brute force. The flaw is chainable with a path traversal in the MCP endpoint to first exfiltrate SECRET_KEY, then decrypt all credentials.
Why it matters
Langflow is a central AI orchestration hub that stores credentials for every LLM provider (OpenAI, Anthropic, etc.) and downstream database. A compromise gives an attacker keys to all AI services integrated with the platform. IBM rated this CVSS 9.1 Critical. IONIX confirmed unauthenticated remote attackers can exploit this to fully disclose all stored credentials.
Attack vector
Langflow used Python's non-cryptographic Mersenne Twister PRNG seeded with SECRET_KEY to derive Fernet encryption keys. When SECRET_KEY < 32 chars the derived key is fully deterministic; even with longer keys the raw SECRET_KEY was used directly as the Fernet key, making offline decryption trivial once the secret_key file is obtained (e.g., via the companion MCP path traversal CVE)
Affected systems
IBM Langflow OSS 1.0.0 – 1.10.0
Mitigation
Upgrade to Langflow 1.10.1. Immediately rotate all previously stored credentials (LLM API keys, DB passwords, OAuth tokens). IBM advisory: https://www.ibm.com/support/pages/node/7278447