CVE-2026-0768: Langflow Code Injection enables RCE

CISO Take

CVE-2026-0768 is an unauthenticated remote code execution vulnerability in Langflow that grants attackers a root shell with a single HTTP request — no credentials needed. Any internet-exposed Langflow instance must be treated as fully compromised until isolated and patched. Immediately firewall all external access to Langflow, rotate all LLM API keys accessible from the host, and check logs for exploitation of the /validate endpoint.

What is the risk?

CRITICAL. Zero authentication barrier combined with root-level code execution and a public ZDI advisory creates a near-zero barrier to full host compromise. Langflow is frequently deployed as an internet-facing AI workflow builder, dramatically widening the attack surface. Although official CVSS is pending, the exploit profile maps to a 9.8+ CRITICAL rating based on equivalent CVEs (CWE-94, no auth, root RCE). Exploitation is trivially scriptable, meaning opportunistic mass scanning is highly probable.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Langflow	pip	—	No patch
149.9K Pushed 4d ago 40% patched ~67d to patch Full package profile →

Do you use Langflow? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

2.0%

chance of exploitation in 30 days

Higher than 79% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

1 step

1) IMMEDIATE — Block all external network access to Langflow ports (default 7860) via firewall or security group rules; this is non-negotiable until patched. 2) PATCH — Update Langflow to the version that addresses ZDI-26-034 once vendor confirms fix availability; track the ZDI advisory for patch status. 3) DETECT — Query web/app server logs for POST requests to any /validate endpoint with code or script parameters; alert on outbound connections spawned by the Langflow process. 4) ROTATE CREDENTIALS — Assume all LLM API keys, database credentials, and secrets accessible from the Langflow host are compromised; revoke and reissue immediately. 5) HARDEN DEPLOYMENT — Langflow must never run as root; enforce container non-root user, read-only filesystem where possible, and network egress controls.

What does CISA's SSVC say?

Decision Track*

Exploitation none

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Auth Bypass Framework Agent AML.T0010.001 - AI Software AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0055 - Unsecured Credentials AML.T0072 - Reverse Shell AML.T0083 - Credentials from AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.1.2 - AI system security A.6.2 - AI System Risk Management

NIST AI RMF

MANAGE 2.2 - Risk Treatment and Response MANAGE-2.2 - Mechanisms to respond to AI risks

OWASP LLM Top 10

LLM03 - Supply Chain Vulnerabilities LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-0768?

CVE-2026-0768 is an unauthenticated remote code execution vulnerability in Langflow that grants attackers a root shell with a single HTTP request — no credentials needed. Any internet-exposed Langflow instance must be treated as fully compromised until isolated and patched. Immediately firewall all external access to Langflow, rotate all LLM API keys accessible from the host, and check logs for exploitation of the /validate endpoint.

Is CVE-2026-0768 actively exploited?

No confirmed active exploitation of CVE-2026-0768 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-0768?

1) IMMEDIATE — Block all external network access to Langflow ports (default 7860) via firewall or security group rules; this is non-negotiable until patched. 2) PATCH — Update Langflow to the version that addresses ZDI-26-034 once vendor confirms fix availability; track the ZDI advisory for patch status. 3) DETECT — Query web/app server logs for POST requests to any /validate endpoint with code or script parameters; alert on outbound connections spawned by the Langflow process. 4) ROTATE CREDENTIALS — Assume all LLM API keys, database credentials, and secrets accessible from the Langflow host are compromised; revoke and reissue immediately. 5) HARDEN DEPLOYMENT — Langflow must never run as root; enforce container non-root user, read-only filesystem where possible, and network egress controls.

What systems are affected by CVE-2026-0768?

This vulnerability affects the following AI/ML architecture patterns: LLM workflow builders, agent frameworks, AI development environments, multi-agent pipelines, model serving infrastructure.

What is the CVSS score for CVE-2026-0768?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

LLM workflow buildersagent frameworksAI development environmentsmulti-agent pipelinesmodel serving infrastructure

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0055 Unsecured Credentials

AML.T0072 Reverse Shell

AML.T0083 Credentials from AI Agent Configuration

Compliance Controls Affected

EU AI Act: Art.15, Article 15

ISO 42001: A.6.1.2, A.6.2

NIST AI RMF: MANAGE 2.2, MANAGE-2.2

OWASP LLM Top 10: LLM03, LLM05

What are the technical details?

Original Advisory

Langflow code Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the code parameter provided to the validate endpoint. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of root. . Was ZDI-CAN-27322.

Exploitation Scenario

An adversary scans Shodan or Censys for Langflow instances exposed on default port 7860. Upon finding a target, they craft a single POST request to /api/v1/validate embedding a Python reverse shell payload in the code parameter — no authentication step required. Langflow executes the payload as root, yielding an interactive shell in under 30 seconds. The attacker immediately harvests LLM API keys from environment variables, exfiltrates AI workflow YAML definitions exposing proprietary agent logic, and establishes persistence via a modified Langflow component or cron job. Total time from discovery to root shell: under five minutes.

Weaknesses (CWE)

CWE-94 Improper Control of Generation of Code ('Code Injection') Primary

CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

[Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
[Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.