CVE-2026-8056: Langflow: auth'd param injection via apply_tweaks() enables code exec

HIGH
Published July 17, 2026
CISO Take

IBM Langflow OSS versions 1.0.0 through 1.10.0 contain a flaw in the apply_tweaks() function that fails to properly filter which component parameters an authenticated user can override at runtime via the API, and because Langflow components can execute arbitrary Python (code nodes, script components, custom tools), an attacker with only low privileges can inject unintended parameter values and achieve full compromise — CVSS 3.1 rates this 8.8 with confidentiality, integrity, and availability all rated High. There is no EPSS score, no CISA KEV listing, and no public exploit or Nuclei template yet, so this has not been observed under active exploitation, but Langflow has a track record of being targeted opportunistically once RCE-class primitives surface (prior Langflow CVEs were weaponized within days), and any authenticated user — including low-privilege service accounts or shared-tenant users — is a sufficient attacker profile here. CISOs running Langflow as an internal AI-agent/workflow orchestration layer should treat this as a priority patch: authentication does not meaningfully reduce risk given how many Langflow deployments use shared or weakly-scoped API keys. Upgrade to the patched release above 1.10.0 as soon as IBM publishes it, and in the interim restrict API access to trusted networks/users only and audit any component definitions that accept externally supplied tweaks for code-execution capable parameters.

Sources: NVD ATLAS ibm.com

What is the risk?

High-severity, network-exploitable vulnerability requiring only low privileges and no user interaction (CVSS 8.8, AC:L/PR:L/UI:N). Impact is rated High across confidentiality, integrity, and availability, consistent with a code-injection primitive (CWE-94) in a framework where components routinely execute code. Exploitability is currently unconfirmed in the wild (no EPSS score, not in CISA KEV, no public PoC or scanner template found), which lowers near-term urgency slightly, but the low bar for the attacker (any authenticated account) and the full-impact CVSS profile mean this should be treated as high risk for any internet-facing or multi-tenant Langflow deployment. Overall risk: HIGH, driven by ease of exploitation rather than confirmed active exploitation.

How does the attack unfold?

Initial Access
Attacker authenticates to the Langflow instance with a low-privilege account (e.g., a shared or self-service API key).
AML.T0049
Exploitation
Attacker calls the flow-execution API with a crafted 'tweaks' payload that apply_tweaks() fails to filter, overriding parameters on a code-execution or sensitive component.
AML.T0050
Execution
The manipulated component executes with attacker-controlled values, achieving code execution or unauthorized data/file access within the Langflow environment.
AML.T0053
Impact
Attacker achieves full confidentiality, integrity, and availability compromise of the Langflow instance, including any credentials or data reachable by executed flows.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Langflow pip No patch
151.7K Pushed 5d ago 31% patched ~70d to patch Full package profile →

Do you use Langflow? You're affected.

How severe is it?

CVSS 3.1
8.8 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Moderate

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

What should I do?

1 step
  1. 1) Patch: upgrade Langflow to a version beyond 1.10.0 once IBM/Langflow publishes a fix that properly allowlists/filters tweakable parameters in apply_tweaks() — track the vendor advisory at ibm.com/support/pages/node/7278933. 2) Workaround: restrict which users/roles can call flow-execution APIs with tweaks, and where possible disable or tightly scope the tweaks parameter for flows containing code-execution, file-system, or credential-bearing components. 3) Network controls: do not expose the Langflow API directly to the internet; place it behind an authenticated gateway/VPN and enforce least-privilege API keys per user/tenant. 4) Detection: audit API access logs for unexpected tweak payloads targeting sensitive component parameters (script/code nodes, credential fields, URL/file-path parameters); alert on tweaks that deviate from a flow's expected parameter schema. 5) Review flows for components that execute code or access secrets, and treat any parameter on those components as high-risk if externally tweakable.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2 - AI system design and development controls
NIST AI RMF
MEASURE 2.7 - AI system security and resilience is evaluated and documented
OWASP LLM Top 10
LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-8056?

IBM Langflow OSS versions 1.0.0 through 1.10.0 contain a flaw in the apply_tweaks() function that fails to properly filter which component parameters an authenticated user can override at runtime via the API, and because Langflow components can execute arbitrary Python (code nodes, script components, custom tools), an attacker with only low privileges can inject unintended parameter values and achieve full compromise — CVSS 3.1 rates this 8.8 with confidentiality, integrity, and availability all rated High. There is no EPSS score, no CISA KEV listing, and no public exploit or Nuclei template yet, so this has not been observed under active exploitation, but Langflow has a track record of being targeted opportunistically once RCE-class primitives surface (prior Langflow CVEs were weaponized within days), and any authenticated user — including low-privilege service accounts or shared-tenant users — is a sufficient attacker profile here. CISOs running Langflow as an internal AI-agent/workflow orchestration layer should treat this as a priority patch: authentication does not meaningfully reduce risk given how many Langflow deployments use shared or weakly-scoped API keys. Upgrade to the patched release above 1.10.0 as soon as IBM publishes it, and in the interim restrict API access to trusted networks/users only and audit any component definitions that accept externally supplied tweaks for code-execution capable parameters.

Is CVE-2026-8056 actively exploited?

No confirmed active exploitation of CVE-2026-8056 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-8056?

1) Patch: upgrade Langflow to a version beyond 1.10.0 once IBM/Langflow publishes a fix that properly allowlists/filters tweakable parameters in apply_tweaks() — track the vendor advisory at ibm.com/support/pages/node/7278933. 2) Workaround: restrict which users/roles can call flow-execution APIs with tweaks, and where possible disable or tightly scope the tweaks parameter for flows containing code-execution, file-system, or credential-bearing components. 3) Network controls: do not expose the Langflow API directly to the internet; place it behind an authenticated gateway/VPN and enforce least-privilege API keys per user/tenant. 4) Detection: audit API access logs for unexpected tweak payloads targeting sensitive component parameters (script/code nodes, credential fields, URL/file-path parameters); alert on tweaks that deviate from a flow's expected parameter schema. 5) Review flows for components that execute code or access secrets, and treat any parameter on those components as high-risk if externally tweakable.

What systems are affected by CVE-2026-8056?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM orchestration pipelines, model serving, multi-tenant AI platforms.

What is the CVSS score for CVE-2026-8056?

CVE-2026-8056 has a CVSS v3.1 base score of 8.8 (HIGH).

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM orchestration pipelinesmodel servingmulti-tenant AI platforms

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter
AML.T0053 AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2
NIST AI RMF: MEASURE 2.7
OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

IBM Langflow OSS 1.0.0 through 1.10.0 allows authenticated users to override component parameters at runtime via the API. A critical security flaw exists in the parameter filtering mechanism within the `apply_tweaks()` function.

Exploitation Scenario

An attacker obtains or is granted a low-privilege authenticated account on a shared or multi-tenant Langflow instance (common in internal developer platforms). They call the flow execution API and pass a crafted 'tweaks' payload targeting a component the flow owner did not intend to expose — for example, redirecting a code-execution or script component's parameters to run attacker-supplied logic, or altering a data-loader component to read arbitrary files from the host filesystem. Because apply_tweaks() does not sufficiently filter which parameters are overridable, the malicious tweak is accepted and applied at runtime, and the flow executes with the attacker's injected values — resulting in code execution, data exfiltration, or full compromise of the confidentiality, integrity, and availability of the Langflow instance and any credentials/data it can reach.

Weaknesses (CWE)

CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

  • [Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
  • [Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

Published
July 17, 2026
Last Modified
July 17, 2026
First Seen
July 17, 2026

Related Vulnerabilities