AI Threat Alert AI Threat Alert

CVE-2026-0770: langflow: security flaw enables exploitation

GHSA-g22f-v6f7-2hrh HIGH ACTIVELY EXPLOITED NUCLEI TEMPLATE CISA: TRACK*
Published January 23, 2026
CISO Take

CVE-2026-0770 is a critical unauthenticated RCE in Langflow that grants root access to any attacker who can reach the validate endpoint — no credentials required. A public PoC already exists on GitHub, making exploitation trivial for any threat actor. Any Langflow deployment (<= 1.7.3) reachable from the network must be taken offline or patched immediately; treat any exposed instance as compromised until forensics confirm otherwise.

Risk Assessment

Critical risk. The combination of unauthenticated access, root-level code execution, and an available PoC places this at the top of the remediation queue. EPSS of 11.4% is high for a newly published CVE, signaling active exploitation interest from the threat community. Langflow is widely deployed in enterprise AI development and orchestration environments, often with privileged access to LLM API keys, internal data, and downstream infrastructure. Blast radius extends far beyond the Langflow host itself.

Affected Systems

Package Ecosystem Vulnerable Range Patched
langflow pip No patch
147.6K Pushed 6d ago 32% patched ~53d to patch Full package profile →
langflow pip <= 1.7.3 No patch
147.6K Pushed 6d ago 32% patched ~53d to patch Full package profile →

Severity & Risk

CVSS 3.1
N/A
EPSS
11.9%
chance of exploitation in 30 days
Higher than 94% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Actively Exploited
Sophistication
Trivial
Exploitation Confidence
high
CISA KEV (active exploitation confirmed)
Nuclei detection template available
EPSS exploit prediction: 12%
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Recommended Action

6 steps

  1. IMMEDIATE

    Identify all Langflow deployments (pip, Docker, cloud-managed) across all environments — dev, staging, production. Assume any instance running <= 1.7.3 is at risk.

  2. PATCH OR ISOLATE

    Upgrade Langflow if a patched version is available; if not, take instances offline or block external access with a network ACL or WAF rule targeting the /validate endpoint.

  3. ROTATE CREDENTIALS

    Rotate all LLM API keys, database credentials, and secrets stored on or accessible from affected hosts.

  4. FORENSICS

    Review web server access logs for POST requests to the validate endpoint with exec_globals parameter — flag any anomalous calls from the past 30 days.

  5. HARDEN

    Langflow should never be internet-facing without an authenticating reverse proxy or VPN. Apply least-privilege to the process user — running as root is a configuration failure.

  6. DETECT

    Add SIEM/WAF signatures for exec_globals in HTTP request bodies targeting AI framework endpoints.

CISA SSVC Assessment

Decision Track*
Exploitation none
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Auth Bypass Framework Agent AML.T0010.001 AML.T0049 AML.T0050 AML.T0072 AML.T0105

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, Robustness and Cybersecurity
ISO 42001
A.9.3 - AI System Security
NIST AI RMF
MANAGE 2.4 - Residual Risk Treatment
OWASP LLM Top 10
LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-0770?

CVE-2026-0770 is a critical unauthenticated RCE in Langflow that grants root access to any attacker who can reach the validate endpoint — no credentials required. A public PoC already exists on GitHub, making exploitation trivial for any threat actor. Any Langflow deployment (<= 1.7.3) reachable from the network must be taken offline or patched immediately; treat any exposed instance as compromised until forensics confirm otherwise.

Is CVE-2026-0770 actively exploited?

Yes, CVE-2026-0770 is confirmed actively exploited and listed in CISA Known Exploited Vulnerabilities catalog.

How to fix CVE-2026-0770?

1. IMMEDIATE: Identify all Langflow deployments (pip, Docker, cloud-managed) across all environments — dev, staging, production. Assume any instance running <= 1.7.3 is at risk. 2. PATCH OR ISOLATE: Upgrade Langflow if a patched version is available; if not, take instances offline or block external access with a network ACL or WAF rule targeting the /validate endpoint. 3. ROTATE CREDENTIALS: Rotate all LLM API keys, database credentials, and secrets stored on or accessible from affected hosts. 4. FORENSICS: Review web server access logs for POST requests to the validate endpoint with exec_globals parameter — flag any anomalous calls from the past 30 days. 5. HARDEN: Langflow should never be internet-facing without an authenticating reverse proxy or VPN. Apply least-privilege to the process user — running as root is a configuration failure. 6. DETECT: Add SIEM/WAF signatures for exec_globals in HTTP request bodies targeting AI framework endpoints.

What systems are affected by CVE-2026-0770?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM orchestration platforms, AI application backends, development and staging AI environments, model serving pipelines.

What is the CVSS score for CVE-2026-0770?

No CVSS score has been assigned yet.

Technical Details

NVD Description

Langflow exec_globals Inclusion of Functionality from Untrusted Control Sphere Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the exec_globals parameter provided to the validate endpoint. The issue results from the inclusion of a resource from an untrusted control sphere. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27325.

Exploitation Scenario

An adversary scans internet-facing IP ranges for Langflow instances using Shodan, Censys, or automated scanners targeting known Langflow ports and UI fingerprints. Upon identifying a vulnerable instance (trivially confirmed via version disclosure in the UI or API), the attacker sends a crafted POST request to the /validate endpoint embedding arbitrary Python code in the exec_globals parameter. The server executes the payload as root, granting immediate shell access. The attacker then establishes persistence via a reverse shell (AML.T0072), exfiltrates all LLM API keys and proprietary workflow definitions, and uses the compromised host as a pivot point into the internal AI/ML infrastructure. The entire attack chain can be completed in minutes using the public GitHub PoC.

Weaknesses (CWE)

CWE-829 Primary CWE-829 Inclusion of Functionality from Untrusted Control Sphere Primary

References

Timeline

Published
January 23, 2026
Last Modified
February 19, 2026
First Seen
January 23, 2026

Scanner Template Available

A Nuclei vulnerability scanner template exists for this CVE. You can scan your infrastructure for this vulnerability immediately.

View template on GitHub
nuclei -t http/cves/2026/CVE-2026-0770.yaml -u https://target.example.com

Related Vulnerabilities

CRITICAL CVE-2026-33309 9.9

langflow: Path Traversal enables file access

Same package: langflow
CRITICAL CVE-2024-37014 9.8

Langflow: unauthenticated RCE via custom component API

Same package: langflow
CRITICAL CVE-2026-27966 9.8

langflow: Code Injection enables RCE

Same package: langflow
CRITICAL CVE-2026-33017 9.8

langflow: Code Injection enables RCE

Same package: langflow
CRITICAL CVE-2024-42835 9.8

Langflow: Unauthenticated RCE via PythonCodeTool

Same package: langflow
Back to Threat Feed