CVE-2026-0768 — UNKNOWN AI Security Vulnerability

CISO Take

CVE-2026-0768 is an unauthenticated remote code execution vulnerability in Langflow that grants attackers a root shell with a single HTTP request — no credentials needed. Any internet-exposed Langflow instance must be treated as fully compromised until isolated and patched. Immediately firewall all external access to Langflow, rotate all LLM API keys accessible from the host, and check logs for exploitation of the /validate endpoint.

Risk Assessment

CRITICAL. Zero authentication barrier combined with root-level code execution and a public ZDI advisory creates a near-zero barrier to full host compromise. Langflow is frequently deployed as an internet-facing AI workflow builder, dramatically widening the attack surface. Although official CVSS is pending, the exploit profile maps to a 9.8+ CRITICAL rating based on equivalent CVEs (CWE-94, no auth, root RCE). Exploitation is trivially scriptable, meaning opportunistic mass scanning is highly probable.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langflow	pip	—	No patch
147.6K Pushed 6d ago 32% patched ~53d to patch Full package profile →

Do you use langflow? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

1.9%

chance of exploitation in 30 days

Higher than 83% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Recommended Action

1 step

1) IMMEDIATE — Block all external network access to Langflow ports (default 7860) via firewall or security group rules; this is non-negotiable until patched. 2) PATCH — Update Langflow to the version that addresses ZDI-26-034 once vendor confirms fix availability; track the ZDI advisory for patch status. 3) DETECT — Query web/app server logs for POST requests to any /validate endpoint with code or script parameters; alert on outbound connections spawned by the Langflow process. 4) ROTATE CREDENTIALS — Assume all LLM API keys, database credentials, and secrets accessible from the Langflow host are compromised; revoke and reissue immediately. 5) HARDEN DEPLOYMENT — Langflow must never run as root; enforce container non-root user, read-only filesystem where possible, and network egress controls.

CISA SSVC Assessment

Decision Track*

Exploitation none

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Auth Bypass Framework Agent AML.T0010.001 - AI Software AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0055 - Unsecured Credentials AML.T0072 - Reverse Shell AML.T0083 - Credentials from AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.1.2 - AI system security A.6.2 - AI System Risk Management

NIST AI RMF

MANAGE 2.2 - Risk Treatment and Response MANAGE-2.2 - Mechanisms to respond to AI risks

OWASP LLM Top 10

LLM03 - Supply Chain Vulnerabilities LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-0768?

CVE-2026-0768 is an unauthenticated remote code execution vulnerability in Langflow that grants attackers a root shell with a single HTTP request — no credentials needed. Any internet-exposed Langflow instance must be treated as fully compromised until isolated and patched. Immediately firewall all external access to Langflow, rotate all LLM API keys accessible from the host, and check logs for exploitation of the /validate endpoint.

Is CVE-2026-0768 actively exploited?

No confirmed active exploitation of CVE-2026-0768 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-0768?

1) IMMEDIATE — Block all external network access to Langflow ports (default 7860) via firewall or security group rules; this is non-negotiable until patched. 2) PATCH — Update Langflow to the version that addresses ZDI-26-034 once vendor confirms fix availability; track the ZDI advisory for patch status. 3) DETECT — Query web/app server logs for POST requests to any /validate endpoint with code or script parameters; alert on outbound connections spawned by the Langflow process. 4) ROTATE CREDENTIALS — Assume all LLM API keys, database credentials, and secrets accessible from the Langflow host are compromised; revoke and reissue immediately. 5) HARDEN DEPLOYMENT — Langflow must never run as root; enforce container non-root user, read-only filesystem where possible, and network egress controls.

What systems are affected by CVE-2026-0768?

This vulnerability affects the following AI/ML architecture patterns: LLM workflow builders, agent frameworks, AI development environments, multi-agent pipelines, model serving infrastructure.

What is the CVSS score for CVE-2026-0768?

No CVSS score has been assigned yet.

Technical Details

NVD Description

Langflow code Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the code parameter provided to the validate endpoint. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of root. . Was ZDI-CAN-27322.

Exploitation Scenario

An adversary scans Shodan or Censys for Langflow instances exposed on default port 7860. Upon finding a target, they craft a single POST request to /api/v1/validate embedding a Python reverse shell payload in the code parameter — no authentication step required. Langflow executes the payload as root, yielding an interactive shell in under 30 seconds. The attacker immediately harvests LLM API keys from environment variables, exfiltrates AI workflow YAML definitions exposing proprietary agent logic, and establishes persistence via a modified Langflow component or cron job. Total time from discovery to root shell: under five minutes.