CVE-2026-0768

UNKNOWN

Published January 23, 2026

CISO Take

CVE-2026-0768 is an unauthenticated remote code execution vulnerability in Langflow that grants attackers a root shell with a single HTTP request — no credentials needed. Any internet-exposed Langflow instance must be treated as fully compromised until isolated and patched. Immediately firewall all external access to Langflow, rotate all LLM API keys accessible from the host, and check logs for exploitation of the /validate endpoint.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langflow	pip	—	No patch

Do you use langflow? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

KEV Status

Not in KEV

Sophistication

Trivial

Recommended Action

1) IMMEDIATE — Block all external network access to Langflow ports (default 7860) via firewall or security group rules; this is non-negotiable until patched. 2) PATCH — Update Langflow to the version that addresses ZDI-26-034 once vendor confirms fix availability; track the ZDI advisory for patch status. 3) DETECT — Query web/app server logs for POST requests to any /validate endpoint with code or script parameters; alert on outbound connections spawned by the Langflow process. 4) ROTATE CREDENTIALS — Assume all LLM API keys, database credentials, and secrets accessible from the Langflow host are compromised; revoke and reissue immediately. 5) HARDEN DEPLOYMENT — Langflow must never run as root; enforce container non-root user, read-only filesystem where possible, and network egress controls.

Classification

Code Execution Auth Bypass Framework Agent AML.T0010.001 - AI Software AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0055 - Unsecured Credentials AML.T0072 - Reverse Shell AML.T0083 - Credentials from AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.1.2 - AI system security A.6.2 - AI System Risk Management

NIST AI RMF

MANAGE 2.2 - Risk Treatment and Response MANAGE-2.2 - Mechanisms to respond to AI risks

OWASP LLM Top 10

LLM03 - Supply Chain Vulnerabilities LLM05 - Supply Chain Vulnerabilities

Technical Details

NVD Description

Langflow code Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the code parameter provided to the validate endpoint. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of root. . Was ZDI-CAN-27322.

Exploitation Scenario

An adversary scans Shodan or Censys for Langflow instances exposed on default port 7860. Upon finding a target, they craft a single POST request to /api/v1/validate embedding a Python reverse shell payload in the code parameter — no authentication step required. Langflow executes the payload as root, yielding an interactive shell in under 30 seconds. The attacker immediately harvests LLM API keys from environment variables, exfiltrates AI workflow YAML definitions exposing proprietary agent logic, and establishes persistence via a modified Langflow component or cron job. Total time from discovery to root shell: under five minutes.

Weaknesses (CWE)

CWE-94 Primary

References

zerodayinitiative.com/advisories/ZDI-26-034/
3rd Party

Timeline

Published

January 23, 2026

Last Modified

February 18, 2026

First Seen

January 23, 2026

Back to Threat Feed