AI Threat Alert

CVE-2026-0772

UNKNOWN
Published January 23, 2026
CISO Take

CVE-2026-0772 is an authenticated RCE in Langflow's disk cache service via deserialization of untrusted data. Any organization running Langflow as part of their AI pipeline is at risk — a compromised or malicious authenticated user can fully take over the service account and everything it touches (LLM API keys, vector DBs, internal tooling). Patch immediately, audit who holds Langflow credentials, and treat this P1 until closed.

Affected Systems

Package Ecosystem Vulnerable Range Patched
langflow pip No patch

Do you use langflow? You're affected.

Severity & Risk

CVSS 3.1
N/A
EPSS
N/A
KEV Status
Not in KEV
Sophistication
Moderate

Recommended Action

  1. 1. PATCH: Update Langflow to the latest available release immediately. Monitor ZDI advisory ZDI-26-038 and vendor release notes for confirmed patched version. 2. NETWORK RESTRICT: If patching is delayed, isolate Langflow behind a VPN or IP allowlist; remove any public internet exposure. 3. LEAST PRIVILEGE: Ensure the Langflow service account has minimal permissions — no admin access to cloud environments, no write access to production data stores. 4. CREDENTIAL ROTATION: Rotate all API keys and secrets accessible from the Langflow environment as a precautionary measure post-patch. 5. DETECT: Alert on anomalous child process spawning from Langflow, unexpected outbound network connections, new cron entries, or file writes to /tmp from the Langflow process. 6. ACCESS AUDIT: Review and prune Langflow user accounts; enforce MFA on all remaining accounts.

Classification

Code Execution Supply Chain Data Extraction Framework Agent RAG AML.T0010.001 AML.T0012 AML.T0025 AML.T0049 AML.T0053 AML.T0055 AML.T0072 AML.T0083

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, Robustness and Cybersecurity
ISO 42001
A.6.2.6 - Security of AI system components A.7.4 - AI System Security Controls
NIST AI RMF
GOVERN 1.7 - Processes for AI risk identification and communication MANAGE 2.2 - Risk Response: Treatment of AI Risks
OWASP LLM Top 10
LLM05:2025 - Supply Chain Vulnerabilities

Technical Details

NVD Description

Langflow Disk Cache Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is required to exploit this vulnerability. The specific flaw exists within the disk cache service. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27919.

Exploitation Scenario

An attacker with valid Langflow credentials — obtained via spearphishing an ML engineer, credential stuffing a reused password, or using insider access — crafts a malicious serialized Python object (e.g., a pickle payload executing a reverse shell) and submits it to the disk cache service. Langflow deserializes the payload during cache read/write operations, executing the embedded code in the service account context. Within minutes, the attacker extracts LLM provider API keys from environment variables, harvests vector database connection strings from Langflow's configuration files, and uses the Langflow host as a pivot into internal ML infrastructure. In agentic deployments with registered tools (code execution, web browsing, database access), the attacker can further invoke these tools directly to move laterally or exfiltrate data via the agent's legitimate channels — bypassing traditional network monitoring.

Weaknesses (CWE)

CWE-502 Primary

References

Timeline

Published
January 23, 2026
Last Modified
February 18, 2026
First Seen
January 23, 2026
Back to Threat Feed