CVE-2026-8481: Langflow: unsandboxed exec() enables full RCE

CRITICAL
Published July 17, 2026
CISO Take

IBM Langflow's code validation endpoint (POST /api/v1/validate/code) passes any authenticated user's Python straight into exec() with no sandboxing, so 'validating' a flow component is functionally the same as handing that user a shell on the Langflow host. With a CVSS of 9.9, network attack vector, low attack complexity, only low privileges required and zero user interaction, this is about as close to unauthenticated RCE as a low-priv vuln gets — any account, even a low-trust or service account, can pivot to full server compromise, including whatever secrets, API keys, or downstream LLM/vector-DB credentials the Langflow process can reach. It isn't in CISA KEV and no public exploit or Nuclei template exists yet, so in-the-wild exploitation hasn't been confirmed, but treat the absence of EPSS/KEV data as 'not yet observed,' not 'safe' — this is a two-line proof-of-concept for anyone with API access. Any Langflow deployment on versions 1.0.0 through 1.10.0 exposed beyond a hardened internal network should be patched to a fixed release immediately, or in the interim placed behind network controls that block or heavily restrict /api/v1/validate/code and alert on payloads containing os.system, subprocess, or socket calls.

Sources: NVD ATLAS ibm.com

What is the risk?

Near-maximum severity: exploitability is trivial (a single crafted HTTP POST, no user interaction, low attack complexity) and impact is complete (confidentiality, integrity and availability all rated High under CVSS 3.1). The only mitigating factor is the low-privilege authentication requirement, which caps this just under a fully unauthenticated 10.0 — but any tenant, contractor, or compromised low-trust account on a shared Langflow instance clears that bar instantly. Exposure hinges entirely on deployment: internet-facing or multi-tenant Langflow instances are critical-priority; strictly air-gapped single-user instances carry materially lower real-world risk despite the identical CVSS score.

How does the attack unfold?

Initial Access
Attacker obtains or already holds a low-privilege authenticated account on the target Langflow instance.
AML.T0012
Exploitation
Attacker submits a malicious Python payload to POST /api/v1/validate/code, exploiting the unsandboxed code validation endpoint.
AML.T0049
Execution
The payload runs via exec() with no sandboxing, letting the attacker issue arbitrary system commands with the Langflow server process's privileges.
AML.T0050
Impact
Attacker achieves full host compromise, harvesting LLM API keys, vector-DB credentials, and other secrets to pivot deeper into the AI stack and network.
AML.T0025

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Langflow pip No patch
151.7K Pushed 5d ago 31% patched ~70d to patch Full package profile →

Do you use Langflow? You're affected.

How severe is it?

CVSS 3.1
9.9 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Changed
C High
I High
A High

What should I do?

1 step
  1. Upgrade Langflow past 1.10.0 as soon as IBM ships a patched release (track https://www.ibm.com/support/pages/node/7278923 for the fix version). Until patched, restrict network access to /api/v1/validate/code to trusted admins only via reverse-proxy rules or an API gateway, or disable the code-validation feature entirely if flows don't require custom Python components. Run the Langflow service under a least-privilege, isolated service account (no access to production secrets or lateral network paths) so a successful exploit is contained. For detection, alert on Langflow process trees spawning unexpected child processes (bash, curl, nc, python subprocess calls) and on outbound connections initiated by the Langflow host that don't match known integrations.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
NIST AI RMF
MEASURE 2.7 - AI system security and resilience are evaluated and documented
OWASP LLM Top 10
LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-8481?

IBM Langflow's code validation endpoint (POST /api/v1/validate/code) passes any authenticated user's Python straight into exec() with no sandboxing, so 'validating' a flow component is functionally the same as handing that user a shell on the Langflow host. With a CVSS of 9.9, network attack vector, low attack complexity, only low privileges required and zero user interaction, this is about as close to unauthenticated RCE as a low-priv vuln gets — any account, even a low-trust or service account, can pivot to full server compromise, including whatever secrets, API keys, or downstream LLM/vector-DB credentials the Langflow process can reach. It isn't in CISA KEV and no public exploit or Nuclei template exists yet, so in-the-wild exploitation hasn't been confirmed, but treat the absence of EPSS/KEV data as 'not yet observed,' not 'safe' — this is a two-line proof-of-concept for anyone with API access. Any Langflow deployment on versions 1.0.0 through 1.10.0 exposed beyond a hardened internal network should be patched to a fixed release immediately, or in the interim placed behind network controls that block or heavily restrict /api/v1/validate/code and alert on payloads containing os.system, subprocess, or socket calls.

Is CVE-2026-8481 actively exploited?

No confirmed active exploitation of CVE-2026-8481 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-8481?

Upgrade Langflow past 1.10.0 as soon as IBM ships a patched release (track https://www.ibm.com/support/pages/node/7278923 for the fix version). Until patched, restrict network access to /api/v1/validate/code to trusted admins only via reverse-proxy rules or an API gateway, or disable the code-validation feature entirely if flows don't require custom Python components. Run the Langflow service under a least-privilege, isolated service account (no access to production secrets or lateral network paths) so a successful exploit is contained. For detection, alert on Langflow process trees spawning unexpected child processes (bash, curl, nc, python subprocess calls) and on outbound connections initiated by the Langflow host that don't match known integrations.

What systems are affected by CVE-2026-8481?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM pipeline builders, low-code AI orchestration.

What is the CVSS score for CVE-2026-8481?

CVE-2026-8481 has a CVSS v3.1 base score of 9.9 (CRITICAL).

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM pipeline builderslow-code AI orchestration

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter
AML.T0072 Reverse Shell

Compliance Controls Affected

EU AI Act: Article 15
NIST AI RMF: MEASURE 2.7
OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

IBM Langflow OSS 1.0.0 through 1.10.0 contain a critical remote code execution vulnerability in the code validation API endpoint. The POST /api/v1/validate/code endpoint accepts user-supplied Python code and executes it directly using Python's built-in exec() function without sandboxing, input validation, or privilege restrictions, enabling any authenticated user to execute arbitrary system commands with the full privileges of the Langflow server process.

Exploitation Scenario

An attacker who has obtained or been granted a low-privilege Langflow account (e.g., a shared internal 'flow builder' credential, or one phished/leaked from a teammate) sends a POST request to /api/v1/validate/code with a payload such as a Python snippet that calls os.system() or subprocess.Popen() to download and execute a reverse-shell script. Because the endpoint execs the code directly with no sandbox, the command runs with the full privileges of the Langflow server process — granting the attacker a shell on the host, access to environment variables and config files holding LLM API keys and vector-DB credentials, and a foothold to pivot into any internal systems the Langflow deployment can reach.

Weaknesses (CWE)

CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

  • [Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
  • [Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Timeline

Published
July 17, 2026
Last Modified
July 17, 2026
First Seen
July 17, 2026

Related Vulnerabilities