CVE-2024-48061 — CRITICAL (CVSS 9.8) AI Security Vulnerability

Q: Is CVE-2024-48061 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-48061, increasing the risk of exploitation.

Q: How to fix CVE-2024-48061?

1. IMMEDIATE: Identify all Langflow instances via asset inventory and network scans. 2. ISOLATE: If running ≤1.0.18, block public/intranet access immediately — restrict to localhost or VPN with allowlisted IPs via firewall rules. 3. PATCH: Upgrade to the latest Langflow release and verify sandboxing controls are present in release notes. 4. ASSUME BREACH: For any internet-exposed instance, rotate all credentials stored on or accessible from the host (LLM API keys, DB passwords, cloud credentials). 5. DETECT: Review process execution logs for the Langflow service process — look for spawned child processes, outbound connections on non-standard ports, or file writes outside the Langflow data directory. 6. HARDEN: Run Langflow in a container with no-new-privileges, read-only root filesystem where possible, and network egress restrictions. 7. MONITOR: Alert on any code component execution that spawns subprocess calls or makes unexpected network connections.

Q: What systems are affected by CVE-2024-48061?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM workflow builders, RAG pipelines, AI development environments, multi-agent orchestration.

Q: What is the CVSS score for CVE-2024-48061?

CVE-2024-48061 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 13.20%.

CISO Take

Any Langflow instance ≤1.0.18 exposed to the network is fully compromised with zero barriers — no auth, no complexity, no user interaction required (CVSS 9.8). Attackers can execute arbitrary code on the host, accessing AI API keys, model artifacts, training data, and pivoting to connected infrastructure. Immediately audit for exposed Langflow deployments, restrict to VPN/internal access only, and treat any internet-facing instance as already compromised pending forensic review.

Risk Assessment

Severity is maximum. The CVSS 9.8 vector (AV:N/AC:L/PR:N/UI:N) means exploitation requires only network reachability — no credentials, no complex conditions, no victim interaction. EPSS of 10.2% indicates meaningful real-world exploitation probability within 30 days of scoring. Langflow is widely adopted in enterprise AI development environments, often deployed with broad internal network access and privileged credentials for LLM APIs. The absence of sandboxing is architectural, not incidental — all code components execute directly on the host OS, making the blast radius equivalent to full server compromise.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langflow	pip	—	No patch
147.6K Pushed 6d ago 38% patched ~53d to patch Full package profile →
langflow	pip	<= 1.0.18	No patch
147.6K Pushed 6d ago 38% patched ~53d to patch Full package profile →

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

13.2%

chance of exploitation in 30 days

Higher than 94% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

○ EPSS exploit prediction: 13%

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

Recommended Action

7 steps

IMMEDIATE

Identify all Langflow instances via asset inventory and network scans.
ISOLATE

If running ≤1.0.18, block public/intranet access immediately — restrict to localhost or VPN with allowlisted IPs via firewall rules.
PATCH

Upgrade to the latest Langflow release and verify sandboxing controls are present in release notes.
ASSUME BREACH

For any internet-exposed instance, rotate all credentials stored on or accessible from the host (LLM API keys, DB passwords, cloud credentials).
DETECT

Review process execution logs for the Langflow service process — look for spawned child processes, outbound connections on non-standard ports, or file writes outside the Langflow data directory.
HARDEN

Run Langflow in a container with no-new-privileges, read-only root filesystem where possible, and network egress restrictions.
MONITOR

Alert on any code component execution that spawns subprocess calls or makes unexpected network connections.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Auth Bypass Framework Agent AML.T0010.001 - AI Software AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0072 - Reverse Shell AML.T0105 - Escape to Host

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

6.1.2 - AI risk treatment A.6.2.6 - AI system security

NIST AI RMF

MANAGE-2.2 - Mechanisms to respond to and recover from AI risks MAP-5.1 - Likelihood and magnitude of identified impacts

OWASP LLM Top 10

LLM08:2023 - Excessive Agency

Frequently Asked Questions

What is CVE-2024-48061?

Any Langflow instance ≤1.0.18 exposed to the network is fully compromised with zero barriers — no auth, no complexity, no user interaction required (CVSS 9.8). Attackers can execute arbitrary code on the host, accessing AI API keys, model artifacts, training data, and pivoting to connected infrastructure. Immediately audit for exposed Langflow deployments, restrict to VPN/internal access only, and treat any internet-facing instance as already compromised pending forensic review.

Is CVE-2024-48061 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-48061, increasing the risk of exploitation.

How to fix CVE-2024-48061?

1. IMMEDIATE: Identify all Langflow instances via asset inventory and network scans. 2. ISOLATE: If running ≤1.0.18, block public/intranet access immediately — restrict to localhost or VPN with allowlisted IPs via firewall rules. 3. PATCH: Upgrade to the latest Langflow release and verify sandboxing controls are present in release notes. 4. ASSUME BREACH: For any internet-exposed instance, rotate all credentials stored on or accessible from the host (LLM API keys, DB passwords, cloud credentials). 5. DETECT: Review process execution logs for the Langflow service process — look for spawned child processes, outbound connections on non-standard ports, or file writes outside the Langflow data directory. 6. HARDEN: Run Langflow in a container with no-new-privileges, read-only root filesystem where possible, and network egress restrictions. 7. MONITOR: Alert on any code component execution that spawns subprocess calls or makes unexpected network connections.

What systems are affected by CVE-2024-48061?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM workflow builders, RAG pipelines, AI development environments, multi-agent orchestration.

What is the CVSS score for CVE-2024-48061?

CVE-2024-48061 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 13.20%.

Technical Details

NVD Description

langflow <=1.0.18 is vulnerable to Remote Code Execution (RCE) as any component provided the code functionality and the components run on the local machine rather than in a sandbox.

Exploitation Scenario

An adversary scans the internet for exposed Langflow instances (port 7860/7861 or custom). Upon locating a target, they access the Langflow UI without authentication and create or import a flow containing a Python code component. The component embeds a reverse shell payload (e.g., subprocess spawning a bash reverse shell to an attacker-controlled server) or directly reads and exfiltrates environment variables containing LLM API keys. Since the code runs directly on the host OS under the Langflow process's privileges, the attacker gains immediate shell access. From there, they harvest API keys for OpenAI, Anthropic, or enterprise LLM gateways, enabling AI cost abuse, data exfiltration from connected vector databases, and lateral movement to cloud environments via stored credentials. The entire kill chain requires no prior knowledge of the target — the Langflow UI itself is the exploit surface.