AI Threat Alert
CVE-2026-0771
UNKNOWNCVE-2026-0771 is a critical code injection flaw in Langflow that enables remote code execution by injecting malicious Python into workflow components. Any Langflow instance network-accessible without strict authentication is an open door to full system compromise, including all LLM API keys, credentials, and connected data sources. Audit and restrict all Langflow deployments immediately—assume exposed instances are already compromised.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| langflow | pip | — | No patch |
Do you use langflow? You're affected.
Severity & Risk
Recommended Action
- 1. IMMEDIATE — Enumerate all Langflow instances (Docker containers, cloud VMs, developer machines) using asset inventory or network scans. 2. ISOLATE — Remove Langflow from public internet exposure; place behind VPN or restrict to internal-only network access. 3. AUTHENTICATE — Verify authentication is enforced on every Langflow instance; default configurations may allow unauthenticated API access. 4. PATCH — Monitor the Langflow GitHub repository and ZDI advisory ZDI-26-037 for a patched release; apply immediately upon availability. 5. ROTATE CREDENTIALS — Treat all API keys, tokens, and database credentials accessible to Langflow processes on exposed instances as compromised; rotate them now. 6. AUDIT LOGS — Review Langflow logs for unexpected Python function component executions, unusual workflow creation, or anomalous outbound connections. 7. DETECT — Add alerting for unexpected process spawning, outbound reverse shell attempts, and unauthorized workflow API calls from Langflow host IPs.
Classification
Compliance Impact
This CVE is relevant to:
Technical Details
NVD Description
Langflow PythonFunction Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Attack vectors and exploitability will vary depending on the configuration of the product. The specific flaw exists within the handling of Python function components. Depending upon product configuration, an attacker may be able to introduce custom Python code into a workflow. An attacker can leverage this vulnerability to execute code in the context of the application. Was ZDI-CAN-27497.
Exploitation Scenario
An adversary discovers a Langflow instance exposed on the internet via Shodan or targeted reconnaissance. Using the Langflow API or web UI—which may require no authentication—they create a new workflow containing a PythonFunction component with an embedded reverse shell payload (e.g., socket-based or subprocess.Popen call to attacker-controlled infrastructure). When the workflow executes, the injected Python runs in the Langflow process context. The attacker receives a shell with full access to environment variables (LLM API keys, DB passwords), the local file system, and internal network routes. From this foothold, they exfiltrate model credentials, query connected RAG databases, access vector stores, and pivot into the broader cloud environment—all under the guise of legitimate AI workflow execution.