CVE-2024-48061: Langflow RCE — CRITICAL

Q: Is CVE-2024-48061 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-48061, increasing the risk of exploitation.

Q: How to fix CVE-2024-48061?

1. IMMEDIATE: Identify all Langflow instances via asset inventory and network scans. 2. ISOLATE: If running ≤1.0.18, block public/intranet access immediately — restrict to localhost or VPN with allowlisted IPs via firewall rules. 3. PATCH: Upgrade to the latest Langflow release and verify sandboxing controls are present in release notes. 4. ASSUME BREACH: For any internet-exposed instance, rotate all credentials stored on or accessible from the host (LLM API keys, DB passwords, cloud credentials). 5. DETECT: Review process execution logs for the Langflow service process — look for spawned child processes, outbound connections on non-standard ports, or file writes outside the Langflow data directory. 6. HARDEN: Run Langflow in a container with no-new-privileges, read-only root filesystem where possible, and network egress restrictions. 7. MONITOR: Alert on any code component execution that spawns subprocess calls or makes unexpected network connections.

Q: What systems are affected by CVE-2024-48061?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM workflow builders, RAG pipelines, AI development environments, multi-agent orchestration.

Q: What is the CVSS score for CVE-2024-48061?

CVE-2024-48061 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 1.32%.

CISO Take

Any Langflow instance ≤1.0.18 exposed to the network is fully compromised with zero barriers — no auth, no complexity, no user interaction required (CVSS 9.8). Attackers can execute arbitrary code on the host, accessing AI API keys, model artifacts, training data, and pivoting to connected infrastructure. Immediately audit for exposed Langflow deployments, restrict to VPN/internal access only, and treat any internet-facing instance as already compromised pending forensic review.

What is the risk?

Severity is maximum. The CVSS 9.8 vector (AV:N/AC:L/PR:N/UI:N) means exploitation requires only network reachability — no credentials, no complex conditions, no victim interaction. EPSS of 10.2% indicates meaningful real-world exploitation probability within 30 days of scoring. Langflow is widely adopted in enterprise AI development environments, often deployed with broad internal network access and privileged credentials for LLM APIs. The absence of sandboxing is architectural, not incidental — all code components execute directly on the host OS, making the blast radius equivalent to full server compromise.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Langflow	pip	—	No patch
149.9K Pushed 2d ago 40% patched ~67d to patch Full package profile →
Langflow	pip	<= 1.0.18	No patch
149.9K Pushed 2d ago 40% patched ~67d to patch Full package profile →

How severe is it?

CVSS 3.1

9.8 / 10

EPSS

1.3%

chance of exploitation in 30 days

Higher than 67% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

What should I do?

7 steps

IMMEDIATE

Identify all Langflow instances via asset inventory and network scans.
ISOLATE

If running ≤1.0.18, block public/intranet access immediately — restrict to localhost or VPN with allowlisted IPs via firewall rules.
PATCH

Upgrade to the latest Langflow release and verify sandboxing controls are present in release notes.
ASSUME BREACH

For any internet-exposed instance, rotate all credentials stored on or accessible from the host (LLM API keys, DB passwords, cloud credentials).
DETECT

Review process execution logs for the Langflow service process — look for spawned child processes, outbound connections on non-standard ports, or file writes outside the Langflow data directory.
HARDEN

Run Langflow in a container with no-new-privileges, read-only root filesystem where possible, and network egress restrictions.
MONITOR

Alert on any code component execution that spawns subprocess calls or makes unexpected network connections.

What does CISA's SSVC say?

Decision Attend

Exploitation poc

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Auth Bypass Framework Agent AML.T0010.001 - AI Software AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0072 - Reverse Shell AML.T0105 - Escape to Host

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

6.1.2 - AI risk treatment A.6.2.6 - AI system security

NIST AI RMF

MANAGE-2.2 - Mechanisms to respond to and recover from AI risks MAP-5.1 - Likelihood and magnitude of identified impacts

OWASP LLM Top 10

LLM08:2023 - Excessive Agency

Frequently Asked Questions

What is CVE-2024-48061?

Any Langflow instance ≤1.0.18 exposed to the network is fully compromised with zero barriers — no auth, no complexity, no user interaction required (CVSS 9.8). Attackers can execute arbitrary code on the host, accessing AI API keys, model artifacts, training data, and pivoting to connected infrastructure. Immediately audit for exposed Langflow deployments, restrict to VPN/internal access only, and treat any internet-facing instance as already compromised pending forensic review.

Is CVE-2024-48061 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-48061, increasing the risk of exploitation.

How to fix CVE-2024-48061?

1. IMMEDIATE: Identify all Langflow instances via asset inventory and network scans. 2. ISOLATE: If running ≤1.0.18, block public/intranet access immediately — restrict to localhost or VPN with allowlisted IPs via firewall rules. 3. PATCH: Upgrade to the latest Langflow release and verify sandboxing controls are present in release notes. 4. ASSUME BREACH: For any internet-exposed instance, rotate all credentials stored on or accessible from the host (LLM API keys, DB passwords, cloud credentials). 5. DETECT: Review process execution logs for the Langflow service process — look for spawned child processes, outbound connections on non-standard ports, or file writes outside the Langflow data directory. 6. HARDEN: Run Langflow in a container with no-new-privileges, read-only root filesystem where possible, and network egress restrictions. 7. MONITOR: Alert on any code component execution that spawns subprocess calls or makes unexpected network connections.

What systems are affected by CVE-2024-48061?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM workflow builders, RAG pipelines, AI development environments, multi-agent orchestration.

What is the CVSS score for CVE-2024-48061?

CVE-2024-48061 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 1.32%.

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM workflow buildersRAG pipelinesAI development environmentsmulti-agent orchestration

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0072 Reverse Shell

AML.T0105 Escape to Host

Compliance Controls Affected

EU AI Act: Article 15, Article 9

ISO 42001: 6.1.2, A.6.2.6

NIST AI RMF: MANAGE-2.2, MAP-5.1

OWASP LLM Top 10: LLM08:2023

What are the technical details?

Original Advisory

langflow <=1.0.18 is vulnerable to Remote Code Execution (RCE) as any component provided the code functionality and the components run on the local machine rather than in a sandbox.

Exploitation Scenario

An adversary scans the internet for exposed Langflow instances (port 7860/7861 or custom). Upon locating a target, they access the Langflow UI without authentication and create or import a flow containing a Python code component. The component embeds a reverse shell payload (e.g., subprocess spawning a bash reverse shell to an attacker-controlled server) or directly reads and exfiltrates environment variables containing LLM API keys. Since the code runs directly on the host OS under the Langflow process's privileges, the attacker gains immediate shell access. From there, they harvest API keys for OpenAI, Anthropic, or enterprise LLM gateways, enabling AI cost abuse, data exfiltration from connected vector databases, and lateral movement to cloud environments via stored credentials. The entire kill chain requires no prior knowledge of the target — the Langflow UI itself is the exploit surface.

Weaknesses (CWE)

CWE-94 Improper Control of Generation of Code ('Code Injection') Primary CWE-94 Improper Control of Generation of Code ('Code Injection')

CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

[Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
[Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.