CVE-2026-12822: Langflow code injection

CISO Take

CVE-2026-12822 is a code injection flaw (CWE-94/CWE-74) in langflow's Bundle URL Loader component affecting all versions through 1.9.3, with a public proof-of-concept already available on GitHub and the vendor having failed to respond to responsible disclosure — meaning there is currently no official patch. A locally authenticated user with low privileges can manipulate the Bundle URL Loader to inject arbitrary code that executes within the langflow process; in practice, 'local access' in shared AI development servers, containerized team environments, or CI/CD pipelines is routinely available to developers and service accounts, making the exploitation bar near-trivial given the public PoC. Langflow carries 54 CVEs across its codebase and a package risk score of 77/100, reinforcing a pattern of security debt in this framework. Until a vendor patch is confirmed, restrict Bundle URL Loader usage to trusted users only, isolate langflow under a least-privilege service account, and monitor the process for unexpected child process spawning.

Sources: NVD ATLAS VulnDB GitHub

What is the risk?

Medium CVSS (5.3) understates operational risk in multi-user and shared AI development deployments. The local attack vector (AV:L) bounds exposure for single-user isolated installations, but langflow is predominantly deployed as a shared visual workflow platform where the local threshold is easily crossed by developers, CI runners, or compromised adjacent accounts. Low attack complexity (AC:L) and low privilege requirement (PR:L) combined with an existing public PoC (E:P in the CVSS temporal vector) reduce exploitation to a near-script-kiddie level. No vendor patch exists and no remediation timeline has been established, leaving defenders with only compensating controls. The 54-CVE history of the package and a 77/100 risk score signal systemic security posture concerns beyond this individual vulnerability.

How does the attack unfold?

Initial Access

Attacker obtains low-privilege local access to a system or shared development environment running langflow — via a developer account, compromised CI runner, or lateral movement from an adjacent host.

AML.T0012

Exploitation

Attacker supplies a malicious bundle URL to the Bundle URL Loader component, triggering code injection (CWE-94) during component initialization or application startup, executing attacker-controlled code within the langflow process.

AML.T0050

Credential Harvesting

Injected code reads environment variables and configuration files accessible to the langflow process, collecting LLM provider API keys, vector database credentials, and cloud storage tokens.

AML.T0055

Impact

Attacker uses harvested credentials to run unauthorized LLM inference, exfiltrate proprietary RAG document corpora, or pivot laterally to adjacent AI infrastructure and cloud services.

AML.T0037

Initial Access

Attacker obtains low-privilege local access to a system or shared development environment running langflow — via a developer account, compromised CI runner, or lateral movement from an adjacent host.

AML.T0012

Exploitation

Attacker supplies a malicious bundle URL to the Bundle URL Loader component, triggering code injection (CWE-94) during component initialization or application startup, executing attacker-controlled code within the langflow process.

AML.T0050

Credential Harvesting

Injected code reads environment variables and configuration files accessible to the langflow process, collecting LLM provider API keys, vector database credentials, and cloud storage tokens.

AML.T0055

Impact

Attacker uses harvested credentials to run unauthorized LLM inference, exfiltrate proprietary RAG document corpora, or pivot laterally to adjacent AI infrastructure and cloud services.

AML.T0037

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Langflow	pip	—	No patch
149.9K Pushed yesterday 41% patched ~50d to patch Full package profile →

Do you use Langflow? You're affected.

How severe is it?

CVSS 3.1

5.3 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Local

AC Low

PR Low

UI None

S Unchanged

C Low

I Low

A Low

What should I do?

7 steps

Monitor langflow's official GitHub releases page and apply any patch releasing a version beyond 1.9.3 immediately — no vendor-confirmed fix exists at time of publication.
Audit all existing Bundle URL Loader configurations and remove or replace any that reference untrusted or externally controlled URLs.
Restrict the ability to configure Bundle URL Loaders to a minimal set of trusted administrators; do not allow untrusted users to define or modify bundle sources.
Run langflow under a dedicated least-privilege service account isolated from production secrets; store API keys in a secrets manager rather than in environment variables accessible to the langflow process.
Deploy langflow in containerized environments with strict egress controls to limit the URLs the Bundle URL Loader can reach.
Enable process-level monitoring on the langflow host to alert on unexpected child process creation or outbound connections from the langflow service account.
If shared or multi-tenant access to langflow cannot be restricted, consider disabling the Bundle URL Loader feature entirely until a patch is available.

How is it classified?

Code Execution Data Extraction Framework Agent AML.T0010.001 - AI Software AML.T0037 - Data from Local System AML.T0050 - Command and Scripting Interpreter AML.T0055 - Unsecured Credentials

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - AI System Design and Development

NIST AI RMF

MANAGE-2.4 - Residual risks are managed and communicated

OWASP LLM Top 10

LLM03 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-12822?

CVE-2026-12822 is a code injection flaw (CWE-94/CWE-74) in langflow's Bundle URL Loader component affecting all versions through 1.9.3, with a public proof-of-concept already available on GitHub and the vendor having failed to respond to responsible disclosure — meaning there is currently no official patch. A locally authenticated user with low privileges can manipulate the Bundle URL Loader to inject arbitrary code that executes within the langflow process; in practice, 'local access' in shared AI development servers, containerized team environments, or CI/CD pipelines is routinely available to developers and service accounts, making the exploitation bar near-trivial given the public PoC. Langflow carries 54 CVEs across its codebase and a package risk score of 77/100, reinforcing a pattern of security debt in this framework. Until a vendor patch is confirmed, restrict Bundle URL Loader usage to trusted users only, isolate langflow under a least-privilege service account, and monitor the process for unexpected child process spawning.

Is CVE-2026-12822 actively exploited?

No confirmed active exploitation of CVE-2026-12822 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-12822?

1. Monitor langflow's official GitHub releases page and apply any patch releasing a version beyond 1.9.3 immediately — no vendor-confirmed fix exists at time of publication. 2. Audit all existing Bundle URL Loader configurations and remove or replace any that reference untrusted or externally controlled URLs. 3. Restrict the ability to configure Bundle URL Loaders to a minimal set of trusted administrators; do not allow untrusted users to define or modify bundle sources. 4. Run langflow under a dedicated least-privilege service account isolated from production secrets; store API keys in a secrets manager rather than in environment variables accessible to the langflow process. 5. Deploy langflow in containerized environments with strict egress controls to limit the URLs the Bundle URL Loader can reach. 6. Enable process-level monitoring on the langflow host to alert on unexpected child process creation or outbound connections from the langflow service account. 7. If shared or multi-tenant access to langflow cannot be restricted, consider disabling the Bundle URL Loader feature entirely until a patch is available.

What systems are affected by CVE-2026-12822?

This vulnerability affects the following AI/ML architecture patterns: LLM orchestration platforms, agent frameworks, RAG pipelines, AI development environments, visual AI workflow builders.

What is the CVSS score for CVE-2026-12822?

CVE-2026-12822 has a CVSS v3.1 base score of 5.3 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

LLM orchestration platformsagent frameworksRAG pipelinesAI development environmentsvisual AI workflow builders

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0037 Data from Local System

AML.T0050 Command and Scripting Interpreter

AML.T0055 Unsecured Credentials

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2

NIST AI RMF: MANAGE-2.4

OWASP LLM Top 10: LLM03

What are the technical details?

Original Advisory

A vulnerability was identified in langflow-ai langflow up to 1.9.3. This affects an unknown function of the component Bundle URL Loader. The manipulation leads to code injection. The attack needs to be performed locally. The vendor was contacted early about this disclosure but did not respond in any way.

Exploitation Scenario

A developer with a low-privilege account on a shared AI development server hosting a team langflow instance crafts a malicious bundle URL pointing to attacker-controlled content and supplies it to the Bundle URL Loader component — either directly through the langflow UI or by modifying a shared flow definition. At component initialization or application startup (consistent with the PoC filename referencing 'startup_rce'), the Bundle URL Loader processes the malicious input and triggers code injection within the langflow process. The attacker's code reads environment variables and configuration files to harvest LLM API keys (OpenAI, Anthropic), vector store credentials, and cloud tokens. The attacker then uses the harvested API keys to run unauthorized LLM inference at the organization's cost, exfiltrates the RAG document corpus for competitive intelligence, or pivots laterally to adjacent cloud services using stolen credentials — all while the initial injection may appear as routine bundle loading activity in application logs.

Weaknesses (CWE)

CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-94 Improper Control of Generation of Code ('Code Injection')

CWE-74 — Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'): The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

[Requirements] Programming languages and supporting technologies might be chosen which are not subject to these issues.
[Implementation] Utilize an appropriate mix of allowlist and denylist parsing to filter control-plane syntax from all input.

Source: MITRE CWE corpus.