CVE-2026-0771 — UNKNOWN AI Security Vulnerability

CISO Take

CVE-2026-0771 is a critical code injection flaw in Langflow that enables remote code execution by injecting malicious Python into workflow components. Any Langflow instance network-accessible without strict authentication is an open door to full system compromise, including all LLM API keys, credentials, and connected data sources. Audit and restrict all Langflow deployments immediately—assume exposed instances are already compromised.

Risk Assessment

HIGH. Although formal CVSS scoring is pending, CWE-94 code injection enabling RCE in an AI orchestration framework is inherently critical. Exploitability is configuration-dependent but trivially low when Langflow is exposed without authentication—a common deployment pattern among teams prototyping AI workflows. The impact radius is severe: Langflow processes typically hold LLM API keys, database credentials, and access to downstream AI infrastructure. Until a patch is confirmed, treat this as a critical-severity finding requiring immediate network isolation of all Langflow instances.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langflow	pip	—	No patch
147.6K Pushed 6d ago 38% patched ~53d to patch Full package profile →

Do you use langflow? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

0.1%

chance of exploitation in 30 days

Higher than 34% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Recommended Action

7 steps

IMMEDIATE — Enumerate all Langflow instances (Docker containers, cloud VMs, developer machines) using asset inventory or network scans.
ISOLATE — Remove Langflow from public internet exposure; place behind VPN or restrict to internal-only network access.
AUTHENTICATE — Verify authentication is enforced on every Langflow instance; default configurations may allow unauthenticated API access.
PATCH — Monitor the Langflow GitHub repository and ZDI advisory ZDI-26-037 for a patched release; apply immediately upon availability.
ROTATE CREDENTIALS — Treat all API keys, tokens, and database credentials accessible to Langflow processes on exposed instances as compromised; rotate them now.
AUDIT LOGS — Review Langflow logs for unexpected Python function component executions, unusual workflow creation, or anomalous outbound connections.
DETECT — Add alerting for unexpected process spawning, outbound reverse shell attempts, and unauthorized workflow API calls from Langflow host IPs.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Data Extraction Framework Agent Plugin AML.T0010.001 - AI Software AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0072 - Reverse Shell AML.T0105 - Escape to Host

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, Robustness and Cybersecurity Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

8.4 - AI System Development and Operation Security A.6.2.6 - AI System Security

NIST AI RMF

MANAGE 2.2 - Residual Risk Management MANAGE-2.2 - Mechanisms to Address AI System Problems

OWASP LLM Top 10

LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-0771?

CVE-2026-0771 is a critical code injection flaw in Langflow that enables remote code execution by injecting malicious Python into workflow components. Any Langflow instance network-accessible without strict authentication is an open door to full system compromise, including all LLM API keys, credentials, and connected data sources. Audit and restrict all Langflow deployments immediately—assume exposed instances are already compromised.

Is CVE-2026-0771 actively exploited?

No confirmed active exploitation of CVE-2026-0771 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-0771?

1. IMMEDIATE — Enumerate all Langflow instances (Docker containers, cloud VMs, developer machines) using asset inventory or network scans. 2. ISOLATE — Remove Langflow from public internet exposure; place behind VPN or restrict to internal-only network access. 3. AUTHENTICATE — Verify authentication is enforced on every Langflow instance; default configurations may allow unauthenticated API access. 4. PATCH — Monitor the Langflow GitHub repository and ZDI advisory ZDI-26-037 for a patched release; apply immediately upon availability. 5. ROTATE CREDENTIALS — Treat all API keys, tokens, and database credentials accessible to Langflow processes on exposed instances as compromised; rotate them now. 6. AUDIT LOGS — Review Langflow logs for unexpected Python function component executions, unusual workflow creation, or anomalous outbound connections. 7. DETECT — Add alerting for unexpected process spawning, outbound reverse shell attempts, and unauthorized workflow API calls from Langflow host IPs.

What systems are affected by CVE-2026-0771?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM orchestration pipelines, RAG pipelines, model serving, AI workflow automation.

What is the CVSS score for CVE-2026-0771?

No CVSS score has been assigned yet.

Technical Details

NVD Description

Langflow PythonFunction Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Attack vectors and exploitability will vary depending on the configuration of the product. The specific flaw exists within the handling of Python function components. Depending upon product configuration, an attacker may be able to introduce custom Python code into a workflow. An attacker can leverage this vulnerability to execute code in the context of the application. Was ZDI-CAN-27497.

Exploitation Scenario

An adversary discovers a Langflow instance exposed on the internet via Shodan or targeted reconnaissance. Using the Langflow API or web UI—which may require no authentication—they create a new workflow containing a PythonFunction component with an embedded reverse shell payload (e.g., socket-based or subprocess.Popen call to attacker-controlled infrastructure). When the workflow executes, the injected Python runs in the Langflow process context. The attacker receives a shell with full access to environment variables (LLM API keys, DB passwords), the local file system, and internal network routes. From this foothold, they exfiltrate model credentials, query connected RAG databases, access vector stores, and pivot into the broader cloud environment—all under the guise of legitimate AI workflow execution.