CVE-2026-7687: Langflow command injection

CISO Take

Langflow's Full Builtins Module Handler contains a command injection flaw in its code parsing component that allows any authenticated user to execute arbitrary OS commands on the server hosting the AI workflow platform. With network access, low complexity, and only requiring low privileges (AV:N/AC:L/PR:L), this is exploitable by any user with a langflow account — including trial or restricted users — and the exploit has been publicly disclosed with no vendor response, eliminating hope of a quiet patch cycle. The EPSS score places this CVE in the top 22% most likely to be exploited in the wild, and langflow deployments typically sit at the center of AI pipelines with direct access to LLM API keys, internal data sources, and model infrastructure. Organizations running langflow 1.8.4 or earlier should upgrade immediately or restrict code node access to trusted operators only while a patch is validated.

Sources: NVD EPSS ATLAS VulDB

What is the risk?

Medium-High in practice despite the CVSS 6.3 medium rating. The vector AV:N/AC:L/PR:L means any authenticated user over the internet can exploit this with minimal skill. Langflow is commonly deployed with privileged access to LLM APIs (OpenAI, Anthropic), internal databases, and sensitive model infrastructure — a single compromised instance can cascade into broader AI pipeline exfiltration. The public disclosure with no vendor acknowledgment is particularly concerning as defenders have no official guidance and no timeline for a fix. No KEV listing and no scanner template reduce the immediate industrialized exploitation risk, but top-22% EPSS combined with a public PoC reference means targeted exploitation is plausible.

How does the attack unfold?

Initial Access

Attacker authenticates to langflow with a low-privilege account obtained via registration, credential stuffing, or insider access.

AML.T0012

Exploitation

Attacker creates a code node and crafts a malicious Python callable exploiting parse_callable_details in the Full Builtins Module Handler to inject OS commands.

AML.T0049

Command Execution

Injected OS commands execute in the langflow server process context, exposing environment variables, file system, and internal network access.

AML.T0050

Impact

Attacker exfiltrates LLM API keys, database credentials, and sensitive model data, or establishes a reverse shell for persistent access to the AI infrastructure.

AML.T0025

Initial Access

Attacker authenticates to langflow with a low-privilege account obtained via registration, credential stuffing, or insider access.

AML.T0012

Exploitation

Attacker creates a code node and crafts a malicious Python callable exploiting parse_callable_details in the Full Builtins Module Handler to inject OS commands.

AML.T0049

Command Execution

Injected OS commands execute in the langflow server process context, exposing environment variables, file system, and internal network access.

AML.T0050

Impact

Attacker exfiltrates LLM API keys, database credentials, and sensitive model data, or establishes a reverse shell for persistent access to the AI infrastructure.

AML.T0025

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Langflow	pip	—	No patch
149.9K Pushed 3d ago 40% patched ~67d to patch Full package profile →

Do you use Langflow? You're affected.

How severe is it?

CVSS 3.1

6.3 / 10

EPSS

1.7%

chance of exploitation in 30 days

Higher than 74% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C Low

I Low

A Low

What should I do?

6 steps

Upgrade langflow beyond 1.8.4 as soon as a patched release is available; monitor the langflow-ai GitHub for release announcements.
Immediately restrict 'Code' node creation to trusted admin or operator roles only via RBAC — this eliminates the attack surface for non-admin users.
Run langflow in an isolated container with a non-root user, read-only filesystem where possible, and network egress limited to required API endpoints only.
Audit all existing flows for suspicious code nodes containing subprocess, os.system, os.popen, eval, exec, or __import__ calls.
Rotate all API keys and secrets accessible from the langflow host as a precaution given the public disclosure.
Monitor application and container logs for anomalous child process creation originating from the langflow process.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Data Extraction Framework Agent AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0055 - Unsecured Credentials

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.2.6 - AI System Security Measures

NIST AI RMF

MANAGE-2.2 - Mechanisms to Sustain Value of AI Systems

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-7687?

Langflow's Full Builtins Module Handler contains a command injection flaw in its code parsing component that allows any authenticated user to execute arbitrary OS commands on the server hosting the AI workflow platform. With network access, low complexity, and only requiring low privileges (AV:N/AC:L/PR:L), this is exploitable by any user with a langflow account — including trial or restricted users — and the exploit has been publicly disclosed with no vendor response, eliminating hope of a quiet patch cycle. The EPSS score places this CVE in the top 22% most likely to be exploited in the wild, and langflow deployments typically sit at the center of AI pipelines with direct access to LLM API keys, internal data sources, and model infrastructure. Organizations running langflow 1.8.4 or earlier should upgrade immediately or restrict code node access to trusted operators only while a patch is validated.

Is CVE-2026-7687 actively exploited?

No confirmed active exploitation of CVE-2026-7687 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-7687?

1. Upgrade langflow beyond 1.8.4 as soon as a patched release is available; monitor the langflow-ai GitHub for release announcements. 2. Immediately restrict 'Code' node creation to trusted admin or operator roles only via RBAC — this eliminates the attack surface for non-admin users. 3. Run langflow in an isolated container with a non-root user, read-only filesystem where possible, and network egress limited to required API endpoints only. 4. Audit all existing flows for suspicious code nodes containing subprocess, os.system, os.popen, eval, exec, or __import__ calls. 5. Rotate all API keys and secrets accessible from the langflow host as a precaution given the public disclosure. 6. Monitor application and container logs for anomalous child process creation originating from the langflow process.

What systems are affected by CVE-2026-7687?

This vulnerability affects the following AI/ML architecture patterns: LLM application frameworks, agent frameworks, custom code execution pipelines, multi-tenant AI development platforms, RAG pipelines.

What is the CVSS score for CVE-2026-7687?

CVE-2026-7687 has a CVSS v3.1 base score of 6.3 (MEDIUM). The EPSS exploitation probability is 1.67%.

What is the AI security impact?

Affected AI Architectures

LLM application frameworksagent frameworkscustom code execution pipelinesmulti-tenant AI development platformsRAG pipelines

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0053 AI Agent Tool Invocation

AML.T0055 Unsecured Credentials

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.6

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

A vulnerability was determined in langflow-ai langflow up to 1.8.4. Affected by this issue is the function CodeParser.parse_callable_details of the file src/lfx/src/lfx/custom/code_parser/code_parser.py of the component Full Builtins Module Handler. Executing a manipulation can lead to command injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

Exploitation Scenario

An adversary registers a low-privilege langflow account (or compromises an existing user via credential stuffing) and opens the visual flow editor. They create a code node and craft a Python callable that manipulates the parse_callable_details function by injecting OS commands through the Full Builtins module handler — for example, embedding a reverse shell payload or a command to cat the .env file. When the flow is saved or executed, the injected command runs server-side in the langflow process context. The attacker exfiltrates environment variables containing OpenAI and Anthropic API keys, database credentials, and internal service tokens, then uses those credentials to access downstream AI infrastructure or establish persistence by adding a backdoor flow that re-executes on each platform startup.

Weaknesses (CWE)

CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Primary CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') Primary

CWE-74 — Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'): The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

[Requirements] Programming languages and supporting technologies might be chosen which are not subject to these issues.
[Implementation] Utilize an appropriate mix of allowlist and denylist parsing to filter control-plane syntax from all input.

Source: MITRE CWE corpus.