CVE-2026-0769 — UNKNOWN AI Security Vulnerability

CISO Take

Langflow deployments exposed to the internet are trivially exploitable for unauthenticated remote code execution — no credentials needed. Any org running Langflow as part of their AI pipeline infrastructure should treat this as a P0: patch or network-isolate immediately. Until patched, restrict Langflow to internal networks only and audit for indicators of compromise.

Risk Assessment

Effective risk is CRITICAL despite missing CVSS score. The attack profile mirrors a 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H): network-reachable, no authentication, no user interaction, full process compromise. Langflow is widely deployed in enterprise AI pipeline prototyping and production agentic workflows, significantly expanding the attack surface. The eval() pattern on raw user input is a textbook CWE-95 with no compensating controls described. Exploitation complexity is trivially low — a crafted HTTP POST to the affected endpoint is sufficient.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langflow	pip	—	No patch
147.9K Pushed today 32% patched ~53d to patch Full package profile →

Do you use langflow? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

1.9%

chance of exploitation in 30 days

Higher than 83% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Recommended Action

6 steps

IMMEDIATE

Isolate all Langflow instances behind VPN or internal network — remove any public internet exposure.
PATCH

Apply vendor patch as soon as released; monitor ZDI advisory ZDI-26-035 and Langflow GitHub for patch ETA.
WORKAROUND (if patch unavailable): Disable custom component functionality via Langflow configuration or block the eval_custom_component_code API endpoint at the WAF/reverse proxy layer.
ROTATE CREDENTIALS

Assume any previously internet-exposed Langflow instance is compromised — rotate all LLM provider API keys, vector DB credentials, and any secrets accessible to the Langflow process.
DETECT

Search logs for anomalous outbound connections from Langflow hosts, unexpected process spawning, and unusual POST requests to component evaluation endpoints.
AUDIT

Review Langflow access logs for exploitation attempts — look for payloads containing import, os, subprocess, socket, or base64 patterns in component code fields.

CISA SSVC Assessment

Decision Track*

Exploitation none

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Auth Bypass Data Extraction Framework Agent Plugin AML.T0010.001 - AI Software AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0055 - Unsecured Credentials AML.T0072 - Reverse Shell AML.T0083 - Credentials from AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

6.1.2 - AI risk assessment 8.1 - Operational planning and control A.6.2.2 - AI System Security — Access Control A.6.2.6 - AI System Security — Input Validation

NIST AI RMF

GOVERN 1.7 - Processes for identifying and managing AI risks GOVERN 6.2 - Risk Management — Policies for AI system security MANAGE 2.2 - Mechanisms to sustain value of deployed AI systems

OWASP LLM Top 10

LLM02 - Insecure Output Handling LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-0769?

Langflow deployments exposed to the internet are trivially exploitable for unauthenticated remote code execution — no credentials needed. Any org running Langflow as part of their AI pipeline infrastructure should treat this as a P0: patch or network-isolate immediately. Until patched, restrict Langflow to internal networks only and audit for indicators of compromise.

Is CVE-2026-0769 actively exploited?

No confirmed active exploitation of CVE-2026-0769 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-0769?

1. IMMEDIATE: Isolate all Langflow instances behind VPN or internal network — remove any public internet exposure. 2. PATCH: Apply vendor patch as soon as released; monitor ZDI advisory ZDI-26-035 and Langflow GitHub for patch ETA. 3. WORKAROUND (if patch unavailable): Disable custom component functionality via Langflow configuration or block the eval_custom_component_code API endpoint at the WAF/reverse proxy layer. 4. ROTATE CREDENTIALS: Assume any previously internet-exposed Langflow instance is compromised — rotate all LLM provider API keys, vector DB credentials, and any secrets accessible to the Langflow process. 5. DETECT: Search logs for anomalous outbound connections from Langflow hosts, unexpected process spawning, and unusual POST requests to component evaluation endpoints. 6. AUDIT: Review Langflow access logs for exploitation attempts — look for payloads containing import, os, subprocess, socket, or base64 patterns in component code fields.

What systems are affected by CVE-2026-0769?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM pipeline orchestration, no-code AI workflow builders, RAG pipelines using Langflow, model serving endpoints connected via Langflow.

What is the CVSS score for CVE-2026-0769?

No CVSS score has been assigned yet.

Technical Details

NVD Description

Langflow eval_custom_component_code Eval Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of eval_custom_component_code function. The issue results from the lack of proper validation of a user-supplied string before using it to execute python code. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26972.

Exploitation Scenario

An adversary scans for Langflow instances via Shodan or direct HTTP fingerprinting (Langflow exposes identifiable UI/API endpoints). Without any authentication, they craft an HTTP POST to the eval_custom_component_code endpoint containing a Python reverse shell payload (e.g., importing subprocess and connecting back to attacker-controlled infrastructure). The Langflow server evaluates the payload and executes it in-process. The attacker now has a shell running as the Langflow service account, reads environment variables and configuration files to harvest LLM API keys and database credentials, exfiltrates the keys, and installs a persistent backdoor. In an agentic deployment, the attacker may also modify pipeline logic to inject malicious instructions into LLM prompts, causing the AI agent to exfiltrate user data or take unauthorized actions on connected tools.