CVE-2026-0770 — HIGH AI Security Vulnerability

CISO Take

CVE-2026-0770 is a critical unauthenticated RCE in Langflow that grants root access to any attacker who can reach the validate endpoint — no credentials required. A public PoC already exists on GitHub, making exploitation trivial for any threat actor. Any Langflow deployment (<= 1.7.3) reachable from the network must be taken offline or patched immediately; treat any exposed instance as compromised until forensics confirm otherwise.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langflow	pip	<= 1.7.3	No patch
langflow	pip	—	No patch

Severity & Risk

CVSS 3.1

N/A

EPSS

11.4%

chance of exploitation in 30 days

KEV Status

Not in KEV

Sophistication

Trivial

Recommended Action

1. IMMEDIATE: Identify all Langflow deployments (pip, Docker, cloud-managed) across all environments — dev, staging, production. Assume any instance running <= 1.7.3 is at risk. 2. PATCH OR ISOLATE: Upgrade Langflow if a patched version is available; if not, take instances offline or block external access with a network ACL or WAF rule targeting the /validate endpoint. 3. ROTATE CREDENTIALS: Rotate all LLM API keys, database credentials, and secrets stored on or accessible from affected hosts. 4. FORENSICS: Review web server access logs for POST requests to the validate endpoint with exec_globals parameter — flag any anomalous calls from the past 30 days. 5. HARDEN: Langflow should never be internet-facing without an authenticating reverse proxy or VPN. Apply least-privilege to the process user — running as root is a configuration failure. 6. DETECT: Add SIEM/WAF signatures for exec_globals in HTTP request bodies targeting AI framework endpoints.

Classification

Code Execution Auth Bypass Framework Agent AML.T0010.001 - AI Software AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0072 - Reverse Shell AML.T0105 - Escape to Host

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.9.3 - AI System Security

NIST AI RMF

MANAGE 2.4 - Residual Risk Treatment

OWASP LLM Top 10

LLM05:2025 - Supply Chain Vulnerabilities

Technical Details

NVD Description

Langflow exec_globals Inclusion of Functionality from Untrusted Control Sphere Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the exec_globals parameter provided to the validate endpoint. The issue results from the inclusion of a resource from an untrusted control sphere. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27325.

Exploitation Scenario

An adversary scans internet-facing IP ranges for Langflow instances using Shodan, Censys, or automated scanners targeting known Langflow ports and UI fingerprints. Upon identifying a vulnerable instance (trivially confirmed via version disclosure in the UI or API), the attacker sends a crafted POST request to the /validate endpoint embedding arbitrary Python code in the exec_globals parameter. The server executes the payload as root, granting immediate shell access. The attacker then establishes persistence via a reverse shell (AML.T0072), exfiltrates all LLM API keys and proprietary workflow definitions, and uses the compromised host as a pivot point into the internal AI/ML infrastructure. The entire attack chain can be completed in minutes using the public GitHub PoC.

Weaknesses (CWE)

CWE-829 Primary CWE-829 Inclusion of Functionality from Untrusted Control Sphere Primary

References

Timeline

Published

January 23, 2026

Last Modified

February 19, 2026

First Seen

January 23, 2026