AI Threat Alert
CVE-2026-0771: langflow: Code Injection enables RCE
UNKNOWNCVE-2026-0771 is a critical code injection flaw in Langflow that enables remote code execution by injecting malicious Python into workflow components. Any Langflow instance network-accessible without strict authentication is an open door to full system compromise, including all LLM API keys, credentials, and connected data sources. Audit and restrict all Langflow deployments immediately—assume exposed instances are already compromised.
What is the risk?
HIGH. Although formal CVSS scoring is pending, CWE-94 code injection enabling RCE in an AI orchestration framework is inherently critical. Exploitability is configuration-dependent but trivially low when Langflow is exposed without authentication—a common deployment pattern among teams prototyping AI workflows. The impact radius is severe: Langflow processes typically hold LLM API keys, database credentials, and access to downstream AI infrastructure. Until a patch is confirmed, treat this as a critical-severity finding requiring immediate network isolation of all Langflow instances.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Langflow | pip | — | No patch |
Do you use Langflow? You're affected.
How severe is it?
What should I do?
7 steps-
IMMEDIATE — Enumerate all Langflow instances (Docker containers, cloud VMs, developer machines) using asset inventory or network scans.
-
ISOLATE — Remove Langflow from public internet exposure; place behind VPN or restrict to internal-only network access.
-
AUTHENTICATE — Verify authentication is enforced on every Langflow instance; default configurations may allow unauthenticated API access.
-
PATCH — Monitor the Langflow GitHub repository and ZDI advisory ZDI-26-037 for a patched release; apply immediately upon availability.
-
ROTATE CREDENTIALS — Treat all API keys, tokens, and database credentials accessible to Langflow processes on exposed instances as compromised; rotate them now.
-
AUDIT LOGS — Review Langflow logs for unexpected Python function component executions, unusual workflow creation, or anomalous outbound connections.
-
DETECT — Add alerting for unexpected process spawning, outbound reverse shell attempts, and unauthorized workflow API calls from Langflow host IPs.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-0771?
CVE-2026-0771 is a critical code injection flaw in Langflow that enables remote code execution by injecting malicious Python into workflow components. Any Langflow instance network-accessible without strict authentication is an open door to full system compromise, including all LLM API keys, credentials, and connected data sources. Audit and restrict all Langflow deployments immediately—assume exposed instances are already compromised.
Is CVE-2026-0771 actively exploited?
No confirmed active exploitation of CVE-2026-0771 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-0771?
1. IMMEDIATE — Enumerate all Langflow instances (Docker containers, cloud VMs, developer machines) using asset inventory or network scans. 2. ISOLATE — Remove Langflow from public internet exposure; place behind VPN or restrict to internal-only network access. 3. AUTHENTICATE — Verify authentication is enforced on every Langflow instance; default configurations may allow unauthenticated API access. 4. PATCH — Monitor the Langflow GitHub repository and ZDI advisory ZDI-26-037 for a patched release; apply immediately upon availability. 5. ROTATE CREDENTIALS — Treat all API keys, tokens, and database credentials accessible to Langflow processes on exposed instances as compromised; rotate them now. 6. AUDIT LOGS — Review Langflow logs for unexpected Python function component executions, unusual workflow creation, or anomalous outbound connections. 7. DETECT — Add alerting for unexpected process spawning, outbound reverse shell attempts, and unauthorized workflow API calls from Langflow host IPs.
What systems are affected by CVE-2026-0771?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM orchestration pipelines, RAG pipelines, model serving, AI workflow automation.
What is the CVSS score for CVE-2026-0771?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0049 Exploit Public-Facing Application AML.T0050 Command and Scripting Interpreter AML.T0053 AI Agent Tool Invocation AML.T0072 Reverse Shell AML.T0105 Escape to Host Compliance Controls Affected
What are the technical details?
Original Advisory
Langflow PythonFunction Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Attack vectors and exploitability will vary depending on the configuration of the product. The specific flaw exists within the handling of Python function components. Depending upon product configuration, an attacker may be able to introduce custom Python code into a workflow. An attacker can leverage this vulnerability to execute code in the context of the application. Was ZDI-CAN-27497.
Exploitation Scenario
An adversary discovers a Langflow instance exposed on the internet via Shodan or targeted reconnaissance. Using the Langflow API or web UI—which may require no authentication—they create a new workflow containing a PythonFunction component with an embedded reverse shell payload (e.g., socket-based or subprocess.Popen call to attacker-controlled infrastructure). When the workflow executes, the injected Python runs in the Langflow process context. The attacker receives a shell with full access to environment variables (LLM API keys, DB passwords), the local file system, and internal network routes. From this foothold, they exfiltrate model credentials, query connected RAG databases, access vector stores, and pivot into the broader cloud environment—all under the guise of legitimate AI workflow execution.
Weaknesses (CWE)
CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
- [Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
- [Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2026-10561 10.0 Langflow: auth bypass + unauthenticated RCE (CVSS 10)
Same package: langflow CVE-2026-55255 9.9 Langflow: IDOR allows cross-user flow execution
Same package: langflow CVE-2026-33309 9.9 langflow: Path Traversal enables file access
Same package: langflow CVE-2024-37014 9.8 Langflow: unauthenticated RCE via custom component API
Same package: langflow CVE-2026-33017 9.8 langflow: Code Injection enables RCE
Same package: langflow