AI Threat Alert AI Threat Alert

CVE-2026-0772: langflow: Deserialization enables RCE

UNKNOWN
Published January 23, 2026
CISO Take

CVE-2026-0772 is an authenticated RCE in Langflow's disk cache service via deserialization of untrusted data. Any organization running Langflow as part of their AI pipeline is at risk — a compromised or malicious authenticated user can fully take over the service account and everything it touches (LLM API keys, vector DBs, internal tooling). Patch immediately, audit who holds Langflow credentials, and treat this P1 until closed.

Risk Assessment

HIGH. Authentication requirement provides limited real-world protection: in most enterprise AI deployments, Langflow is accessed by multiple developers and ML engineers, and credentials are routinely shared or reused. The service account context amplifies impact significantly — Langflow processes typically hold LLM provider API keys, cloud credentials, and vector database access. No official CVSS score is published yet, but deserialization RCE in a widely-adopted LLM framework is empirically a 8.5–9.0 range vulnerability. Insider threat and phished-credential scenarios make this exploitable in most real-world configurations without any additional prerequisites.

Affected Systems

Package Ecosystem Vulnerable Range Patched
langflow pip No patch
147.6K Pushed 6d ago 38% patched ~53d to patch Full package profile →

Do you use langflow? You're affected.

Severity & Risk

CVSS 3.1
N/A
EPSS
0.9%
chance of exploitation in 30 days
Higher than 76% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Moderate

Recommended Action

6 steps

  1. PATCH

    Update Langflow to the latest available release immediately. Monitor ZDI advisory ZDI-26-038 and vendor release notes for confirmed patched version.

  2. NETWORK RESTRICT

    If patching is delayed, isolate Langflow behind a VPN or IP allowlist; remove any public internet exposure.

  3. LEAST PRIVILEGE

    Ensure the Langflow service account has minimal permissions — no admin access to cloud environments, no write access to production data stores.

  4. CREDENTIAL ROTATION

    Rotate all API keys and secrets accessible from the Langflow environment as a precautionary measure post-patch.

  5. DETECT

    Alert on anomalous child process spawning from Langflow, unexpected outbound network connections, new cron entries, or file writes to /tmp from the Langflow process.

  6. ACCESS AUDIT

    Review and prune Langflow user accounts; enforce MFA on all remaining accounts.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Data Extraction Framework Agent RAG AML.T0010.001 AML.T0012 AML.T0025 AML.T0049 AML.T0053 AML.T0055 AML.T0072 AML.T0083

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, Robustness and Cybersecurity
ISO 42001
A.6.2.6 - Security of AI system components A.7.4 - AI System Security Controls
NIST AI RMF
GOVERN 1.7 - Processes for AI risk identification and communication MANAGE 2.2 - Risk Response: Treatment of AI Risks
OWASP LLM Top 10
LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-0772?

CVE-2026-0772 is an authenticated RCE in Langflow's disk cache service via deserialization of untrusted data. Any organization running Langflow as part of their AI pipeline is at risk — a compromised or malicious authenticated user can fully take over the service account and everything it touches (LLM API keys, vector DBs, internal tooling). Patch immediately, audit who holds Langflow credentials, and treat this P1 until closed.

Is CVE-2026-0772 actively exploited?

No confirmed active exploitation of CVE-2026-0772 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-0772?

1. PATCH: Update Langflow to the latest available release immediately. Monitor ZDI advisory ZDI-26-038 and vendor release notes for confirmed patched version. 2. NETWORK RESTRICT: If patching is delayed, isolate Langflow behind a VPN or IP allowlist; remove any public internet exposure. 3. LEAST PRIVILEGE: Ensure the Langflow service account has minimal permissions — no admin access to cloud environments, no write access to production data stores. 4. CREDENTIAL ROTATION: Rotate all API keys and secrets accessible from the Langflow environment as a precautionary measure post-patch. 5. DETECT: Alert on anomalous child process spawning from Langflow, unexpected outbound network connections, new cron entries, or file writes to /tmp from the Langflow process. 6. ACCESS AUDIT: Review and prune Langflow user accounts; enforce MFA on all remaining accounts.

What systems are affected by CVE-2026-0772?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, RAG pipelines, LLM orchestration pipelines, AI workflow automation, model serving.

What is the CVSS score for CVE-2026-0772?

No CVSS score has been assigned yet.

Technical Details

NVD Description

Langflow Disk Cache Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is required to exploit this vulnerability. The specific flaw exists within the disk cache service. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27919.

Exploitation Scenario

An attacker with valid Langflow credentials — obtained via spearphishing an ML engineer, credential stuffing a reused password, or using insider access — crafts a malicious serialized Python object (e.g., a pickle payload executing a reverse shell) and submits it to the disk cache service. Langflow deserializes the payload during cache read/write operations, executing the embedded code in the service account context. Within minutes, the attacker extracts LLM provider API keys from environment variables, harvests vector database connection strings from Langflow's configuration files, and uses the Langflow host as a pivot into internal ML infrastructure. In agentic deployments with registered tools (code execution, web browsing, database access), the attacker can further invoke these tools directly to move laterally or exfiltrate data via the agent's legitimate channels — bypassing traditional network monitoring.

Weaknesses (CWE)

CWE-502 Primary

References

Timeline

Published
January 23, 2026
Last Modified
February 18, 2026
First Seen
January 23, 2026

Related Vulnerabilities

CRITICAL CVE-2026-33309 9.9

langflow: Path Traversal enables file access

Same package: langflow
CRITICAL CVE-2024-37014 9.8

Langflow: unauthenticated RCE via custom component API

Same package: langflow
CRITICAL CVE-2026-27966 9.8

langflow: Code Injection enables RCE

Same package: langflow
CRITICAL CVE-2026-33017 9.8

langflow: Code Injection enables RCE

Same package: langflow
CRITICAL CVE-2024-42835 9.8

Langflow: Unauthenticated RCE via PythonCodeTool

Same package: langflow
Back to Threat Feed