CVE-2026-8481: Langflow: unsandboxed exec() enables full RCE
CRITICALIBM Langflow's code validation endpoint (POST /api/v1/validate/code) passes any authenticated user's Python straight into exec() with no sandboxing, so 'validating' a flow component is functionally the same as handing that user a shell on the Langflow host. With a CVSS of 9.9, network attack vector, low attack complexity, only low privileges required and zero user interaction, this is about as close to unauthenticated RCE as a low-priv vuln gets — any account, even a low-trust or service account, can pivot to full server compromise, including whatever secrets, API keys, or downstream LLM/vector-DB credentials the Langflow process can reach. It isn't in CISA KEV and no public exploit or Nuclei template exists yet, so in-the-wild exploitation hasn't been confirmed, but treat the absence of EPSS/KEV data as 'not yet observed,' not 'safe' — this is a two-line proof-of-concept for anyone with API access. Any Langflow deployment on versions 1.0.0 through 1.10.0 exposed beyond a hardened internal network should be patched to a fixed release immediately, or in the interim placed behind network controls that block or heavily restrict /api/v1/validate/code and alert on payloads containing os.system, subprocess, or socket calls.
What is the risk?
Near-maximum severity: exploitability is trivial (a single crafted HTTP POST, no user interaction, low attack complexity) and impact is complete (confidentiality, integrity and availability all rated High under CVSS 3.1). The only mitigating factor is the low-privilege authentication requirement, which caps this just under a fully unauthenticated 10.0 — but any tenant, contractor, or compromised low-trust account on a shared Langflow instance clears that bar instantly. Exposure hinges entirely on deployment: internet-facing or multi-tenant Langflow instances are critical-priority; strictly air-gapped single-user instances carry materially lower real-world risk despite the identical CVSS score.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Langflow | pip | — | No patch |
Do you use Langflow? You're affected.
How severe is it?
What is the attack surface?
What should I do?
1 step-
Upgrade Langflow past 1.10.0 as soon as IBM ships a patched release (track https://www.ibm.com/support/pages/node/7278923 for the fix version). Until patched, restrict network access to /api/v1/validate/code to trusted admins only via reverse-proxy rules or an API gateway, or disable the code-validation feature entirely if flows don't require custom Python components. Run the Langflow service under a least-privilege, isolated service account (no access to production secrets or lateral network paths) so a successful exploit is contained. For detection, alert on Langflow process trees spawning unexpected child processes (bash, curl, nc, python subprocess calls) and on outbound connections initiated by the Langflow host that don't match known integrations.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-8481?
IBM Langflow's code validation endpoint (POST /api/v1/validate/code) passes any authenticated user's Python straight into exec() with no sandboxing, so 'validating' a flow component is functionally the same as handing that user a shell on the Langflow host. With a CVSS of 9.9, network attack vector, low attack complexity, only low privileges required and zero user interaction, this is about as close to unauthenticated RCE as a low-priv vuln gets — any account, even a low-trust or service account, can pivot to full server compromise, including whatever secrets, API keys, or downstream LLM/vector-DB credentials the Langflow process can reach. It isn't in CISA KEV and no public exploit or Nuclei template exists yet, so in-the-wild exploitation hasn't been confirmed, but treat the absence of EPSS/KEV data as 'not yet observed,' not 'safe' — this is a two-line proof-of-concept for anyone with API access. Any Langflow deployment on versions 1.0.0 through 1.10.0 exposed beyond a hardened internal network should be patched to a fixed release immediately, or in the interim placed behind network controls that block or heavily restrict /api/v1/validate/code and alert on payloads containing os.system, subprocess, or socket calls.
Is CVE-2026-8481 actively exploited?
No confirmed active exploitation of CVE-2026-8481 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-8481?
Upgrade Langflow past 1.10.0 as soon as IBM ships a patched release (track https://www.ibm.com/support/pages/node/7278923 for the fix version). Until patched, restrict network access to /api/v1/validate/code to trusted admins only via reverse-proxy rules or an API gateway, or disable the code-validation feature entirely if flows don't require custom Python components. Run the Langflow service under a least-privilege, isolated service account (no access to production secrets or lateral network paths) so a successful exploit is contained. For detection, alert on Langflow process trees spawning unexpected child processes (bash, curl, nc, python subprocess calls) and on outbound connections initiated by the Langflow host that don't match known integrations.
What systems are affected by CVE-2026-8481?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM pipeline builders, low-code AI orchestration.
What is the CVSS score for CVE-2026-8481?
CVE-2026-8481 has a CVSS v3.1 base score of 9.9 (CRITICAL).
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0049 Exploit Public-Facing Application AML.T0050 Command and Scripting Interpreter AML.T0072 Reverse Shell Compliance Controls Affected
What are the technical details?
Original Advisory
IBM Langflow OSS 1.0.0 through 1.10.0 contain a critical remote code execution vulnerability in the code validation API endpoint. The POST /api/v1/validate/code endpoint accepts user-supplied Python code and executes it directly using Python's built-in exec() function without sandboxing, input validation, or privilege restrictions, enabling any authenticated user to execute arbitrary system commands with the full privileges of the Langflow server process.
Exploitation Scenario
An attacker who has obtained or been granted a low-privilege Langflow account (e.g., a shared internal 'flow builder' credential, or one phished/leaked from a teammate) sends a POST request to /api/v1/validate/code with a payload such as a Python snippet that calls os.system() or subprocess.Popen() to download and execute a reverse-shell script. Because the endpoint execs the code directly with no sandbox, the command runs with the full privileges of the Langflow server process — granting the attacker a shell on the host, access to environment variables and config files holding LLM API keys and vector-DB credentials, and a foothold to pivot into any internal systems the Langflow deployment can reach.
Weaknesses (CWE)
CWE-94 Improper Control of Generation of Code ('Code Injection')
Primary
CWE-94 Improper Control of Generation of Code ('Code Injection') CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
- [Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
- [Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H References
Timeline
Related Vulnerabilities
CVE-2026-10561 10.0 Langflow: auth bypass + unauthenticated RCE (CVSS 10)
Same package: langflow CVE-2026-10134 10.0 Langflow: unauthenticated RCE via tool_code injection
Same package: langflow CVE-2026-33309 9.9 langflow: Path Traversal enables file access
Same package: langflow CVE-2026-55255 9.9 Langflow: IDOR allows cross-user flow execution
Same package: langflow CVE-2026-7873 9.9 Langflow: authenticated RCE enables credential theft
Same package: langflow