CVE-2026-8056: Langflow: auth'd param injection via apply_tweaks() enables code exec
HIGHIBM Langflow OSS versions 1.0.0 through 1.10.0 contain a flaw in the apply_tweaks() function that fails to properly filter which component parameters an authenticated user can override at runtime via the API, and because Langflow components can execute arbitrary Python (code nodes, script components, custom tools), an attacker with only low privileges can inject unintended parameter values and achieve full compromise — CVSS 3.1 rates this 8.8 with confidentiality, integrity, and availability all rated High. There is no EPSS score, no CISA KEV listing, and no public exploit or Nuclei template yet, so this has not been observed under active exploitation, but Langflow has a track record of being targeted opportunistically once RCE-class primitives surface (prior Langflow CVEs were weaponized within days), and any authenticated user — including low-privilege service accounts or shared-tenant users — is a sufficient attacker profile here. CISOs running Langflow as an internal AI-agent/workflow orchestration layer should treat this as a priority patch: authentication does not meaningfully reduce risk given how many Langflow deployments use shared or weakly-scoped API keys. Upgrade to the patched release above 1.10.0 as soon as IBM publishes it, and in the interim restrict API access to trusted networks/users only and audit any component definitions that accept externally supplied tweaks for code-execution capable parameters.
What is the risk?
High-severity, network-exploitable vulnerability requiring only low privileges and no user interaction (CVSS 8.8, AC:L/PR:L/UI:N). Impact is rated High across confidentiality, integrity, and availability, consistent with a code-injection primitive (CWE-94) in a framework where components routinely execute code. Exploitability is currently unconfirmed in the wild (no EPSS score, not in CISA KEV, no public PoC or scanner template found), which lowers near-term urgency slightly, but the low bar for the attacker (any authenticated account) and the full-impact CVSS profile mean this should be treated as high risk for any internet-facing or multi-tenant Langflow deployment. Overall risk: HIGH, driven by ease of exploitation rather than confirmed active exploitation.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Langflow | pip | — | No patch |
Do you use Langflow? You're affected.
How severe is it?
What is the attack surface?
What should I do?
1 step-
1) Patch: upgrade Langflow to a version beyond 1.10.0 once IBM/Langflow publishes a fix that properly allowlists/filters tweakable parameters in apply_tweaks() — track the vendor advisory at ibm.com/support/pages/node/7278933. 2) Workaround: restrict which users/roles can call flow-execution APIs with tweaks, and where possible disable or tightly scope the tweaks parameter for flows containing code-execution, file-system, or credential-bearing components. 3) Network controls: do not expose the Langflow API directly to the internet; place it behind an authenticated gateway/VPN and enforce least-privilege API keys per user/tenant. 4) Detection: audit API access logs for unexpected tweak payloads targeting sensitive component parameters (script/code nodes, credential fields, URL/file-path parameters); alert on tweaks that deviate from a flow's expected parameter schema. 5) Review flows for components that execute code or access secrets, and treat any parameter on those components as high-risk if externally tweakable.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-8056?
IBM Langflow OSS versions 1.0.0 through 1.10.0 contain a flaw in the apply_tweaks() function that fails to properly filter which component parameters an authenticated user can override at runtime via the API, and because Langflow components can execute arbitrary Python (code nodes, script components, custom tools), an attacker with only low privileges can inject unintended parameter values and achieve full compromise — CVSS 3.1 rates this 8.8 with confidentiality, integrity, and availability all rated High. There is no EPSS score, no CISA KEV listing, and no public exploit or Nuclei template yet, so this has not been observed under active exploitation, but Langflow has a track record of being targeted opportunistically once RCE-class primitives surface (prior Langflow CVEs were weaponized within days), and any authenticated user — including low-privilege service accounts or shared-tenant users — is a sufficient attacker profile here. CISOs running Langflow as an internal AI-agent/workflow orchestration layer should treat this as a priority patch: authentication does not meaningfully reduce risk given how many Langflow deployments use shared or weakly-scoped API keys. Upgrade to the patched release above 1.10.0 as soon as IBM publishes it, and in the interim restrict API access to trusted networks/users only and audit any component definitions that accept externally supplied tweaks for code-execution capable parameters.
Is CVE-2026-8056 actively exploited?
No confirmed active exploitation of CVE-2026-8056 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-8056?
1) Patch: upgrade Langflow to a version beyond 1.10.0 once IBM/Langflow publishes a fix that properly allowlists/filters tweakable parameters in apply_tweaks() — track the vendor advisory at ibm.com/support/pages/node/7278933. 2) Workaround: restrict which users/roles can call flow-execution APIs with tweaks, and where possible disable or tightly scope the tweaks parameter for flows containing code-execution, file-system, or credential-bearing components. 3) Network controls: do not expose the Langflow API directly to the internet; place it behind an authenticated gateway/VPN and enforce least-privilege API keys per user/tenant. 4) Detection: audit API access logs for unexpected tweak payloads targeting sensitive component parameters (script/code nodes, credential fields, URL/file-path parameters); alert on tweaks that deviate from a flow's expected parameter schema. 5) Review flows for components that execute code or access secrets, and treat any parameter on those components as high-risk if externally tweakable.
What systems are affected by CVE-2026-8056?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM orchestration pipelines, model serving, multi-tenant AI platforms.
What is the CVSS score for CVE-2026-8056?
CVE-2026-8056 has a CVSS v3.1 base score of 8.8 (HIGH).
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0049 Exploit Public-Facing Application AML.T0050 Command and Scripting Interpreter AML.T0053 AI Agent Tool Invocation Compliance Controls Affected
What are the technical details?
Original Advisory
IBM Langflow OSS 1.0.0 through 1.10.0 allows authenticated users to override component parameters at runtime via the API. A critical security flaw exists in the parameter filtering mechanism within the `apply_tweaks()` function.
Exploitation Scenario
An attacker obtains or is granted a low-privilege authenticated account on a shared or multi-tenant Langflow instance (common in internal developer platforms). They call the flow execution API and pass a crafted 'tweaks' payload targeting a component the flow owner did not intend to expose — for example, redirecting a code-execution or script component's parameters to run attacker-supplied logic, or altering a data-loader component to read arbitrary files from the host filesystem. Because apply_tweaks() does not sufficiently filter which parameters are overridable, the malicious tweak is accepted and applied at runtime, and the flow executes with the attacker's injected values — resulting in code execution, data exfiltration, or full compromise of the confidentiality, integrity, and availability of the Langflow instance and any credentials/data it can reach.
Weaknesses (CWE)
CWE-94 Improper Control of Generation of Code ('Code Injection')
Primary
CWE-94 Improper Control of Generation of Code ('Code Injection') CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
- [Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
- [Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H References
Timeline
Related Vulnerabilities
CVE-2026-10561 10.0 Langflow: auth bypass + unauthenticated RCE (CVSS 10)
Same package: langflow CVE-2026-10134 10.0 Langflow: unauthenticated RCE via tool_code injection
Same package: langflow CVE-2026-33309 9.9 langflow: Path Traversal enables file access
Same package: langflow CVE-2026-55255 9.9 Langflow: IDOR allows cross-user flow execution
Same package: langflow CVE-2026-7873 9.9 Langflow: authenticated RCE enables credential theft
Same package: langflow