AI Threat Alert
CVE-2026-0772: langflow: Deserialization enables RCE
UNKNOWNCVE-2026-0772 is an authenticated RCE in Langflow's disk cache service via deserialization of untrusted data. Any organization running Langflow as part of their AI pipeline is at risk — a compromised or malicious authenticated user can fully take over the service account and everything it touches (LLM API keys, vector DBs, internal tooling). Patch immediately, audit who holds Langflow credentials, and treat this P1 until closed.
What is the risk?
HIGH. Authentication requirement provides limited real-world protection: in most enterprise AI deployments, Langflow is accessed by multiple developers and ML engineers, and credentials are routinely shared or reused. The service account context amplifies impact significantly — Langflow processes typically hold LLM provider API keys, cloud credentials, and vector database access. No official CVSS score is published yet, but deserialization RCE in a widely-adopted LLM framework is empirically a 8.5–9.0 range vulnerability. Insider threat and phished-credential scenarios make this exploitable in most real-world configurations without any additional prerequisites.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Langflow | pip | — | No patch |
Do you use Langflow? You're affected.
How severe is it?
What should I do?
6 steps-
PATCH
Update Langflow to the latest available release immediately. Monitor ZDI advisory ZDI-26-038 and vendor release notes for confirmed patched version.
-
NETWORK RESTRICT
If patching is delayed, isolate Langflow behind a VPN or IP allowlist; remove any public internet exposure.
-
LEAST PRIVILEGE
Ensure the Langflow service account has minimal permissions — no admin access to cloud environments, no write access to production data stores.
-
CREDENTIAL ROTATION
Rotate all API keys and secrets accessible from the Langflow environment as a precautionary measure post-patch.
-
DETECT
Alert on anomalous child process spawning from Langflow, unexpected outbound network connections, new cron entries, or file writes to /tmp from the Langflow process.
-
ACCESS AUDIT
Review and prune Langflow user accounts; enforce MFA on all remaining accounts.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-0772?
CVE-2026-0772 is an authenticated RCE in Langflow's disk cache service via deserialization of untrusted data. Any organization running Langflow as part of their AI pipeline is at risk — a compromised or malicious authenticated user can fully take over the service account and everything it touches (LLM API keys, vector DBs, internal tooling). Patch immediately, audit who holds Langflow credentials, and treat this P1 until closed.
Is CVE-2026-0772 actively exploited?
No confirmed active exploitation of CVE-2026-0772 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-0772?
1. PATCH: Update Langflow to the latest available release immediately. Monitor ZDI advisory ZDI-26-038 and vendor release notes for confirmed patched version. 2. NETWORK RESTRICT: If patching is delayed, isolate Langflow behind a VPN or IP allowlist; remove any public internet exposure. 3. LEAST PRIVILEGE: Ensure the Langflow service account has minimal permissions — no admin access to cloud environments, no write access to production data stores. 4. CREDENTIAL ROTATION: Rotate all API keys and secrets accessible from the Langflow environment as a precautionary measure post-patch. 5. DETECT: Alert on anomalous child process spawning from Langflow, unexpected outbound network connections, new cron entries, or file writes to /tmp from the Langflow process. 6. ACCESS AUDIT: Review and prune Langflow user accounts; enforce MFA on all remaining accounts.
What systems are affected by CVE-2026-0772?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, RAG pipelines, LLM orchestration pipelines, AI workflow automation, model serving.
What is the CVSS score for CVE-2026-0772?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0012 Valid Accounts AML.T0025 Exfiltration via Cyber Means AML.T0049 Exploit Public-Facing Application AML.T0053 AI Agent Tool Invocation AML.T0055 Unsecured Credentials AML.T0072 Reverse Shell AML.T0083 Credentials from AI Agent Configuration Compliance Controls Affected
What are the technical details?
Original Advisory
Langflow Disk Cache Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is required to exploit this vulnerability. The specific flaw exists within the disk cache service. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27919.
Exploitation Scenario
An attacker with valid Langflow credentials — obtained via spearphishing an ML engineer, credential stuffing a reused password, or using insider access — crafts a malicious serialized Python object (e.g., a pickle payload executing a reverse shell) and submits it to the disk cache service. Langflow deserializes the payload during cache read/write operations, executing the embedded code in the service account context. Within minutes, the attacker extracts LLM provider API keys from environment variables, harvests vector database connection strings from Langflow's configuration files, and uses the Langflow host as a pivot into internal ML infrastructure. In agentic deployments with registered tools (code execution, web browsing, database access), the attacker can further invoke these tools directly to move laterally or exfiltrate data via the agent's legitimate channels — bypassing traditional network monitoring.
Weaknesses (CWE)
CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
- [Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
- [Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2026-10561 10.0 Langflow: auth bypass + unauthenticated RCE (CVSS 10)
Same package: langflow CVE-2026-55255 9.9 Langflow: IDOR allows cross-user flow execution
Same package: langflow CVE-2026-33309 9.9 langflow: Path Traversal enables file access
Same package: langflow CVE-2024-37014 9.8 Langflow: unauthenticated RCE via custom component API
Same package: langflow CVE-2026-33017 9.8 langflow: Code Injection enables RCE
Same package: langflow