CVE-2026-8635: Langflow: DB manipulation escalates to superuser RCE

CRITICAL
Published July 17, 2026
CISO Take

IBM Langflow OSS versions 1.0.0 through 1.10.0 contain a flaw that lets any authenticated user — even a low-privilege one — directly manipulate the underlying database to grant themselves superuser rights, then execute arbitrary system commands with the permissions of the Langflow service. Langflow is a widely deployed low-code framework for building LLM agent workflows, so this sits directly in the path of an organization's agentic AI pipelines, and a CVSS score of 9.9 with only low privileges required (PR:L) and no user interaction (UI:N) makes exploitation straightforward for anyone who can already log in, including former employees, low-trust partners, or compromised low-tier accounts. There is no CISA KEV listing, no known public exploit, and no EPSS data yet, so active mass exploitation hasn't been confirmed, but the trivial exploitation path combined with a full confidentiality/integrity/availability compromise means it should be treated as high priority regardless. Organizations running self-hosted Langflow should immediately restrict which users hold accounts, keep instances off the public internet, apply IBM's fix as soon as it ships, and watch database and process logs for unexpected role changes or shell execution from the Langflow service account in the meantime.

Sources: NVD ATLAS ibm.com

What is the risk?

Critical. CVSS 9.9 reflects near-worst-case severity: low attack complexity, only low privileges required, no user interaction, and complete loss of confidentiality, integrity, and availability. The scope change (S:C) means impact extends past Langflow itself to the underlying host, since successful exploitation yields arbitrary system command execution with service-account permissions. Exploitability in the wild is currently unconfirmed (not in CISA KEV, no EPSS score, no public PoC or Nuclei template), but the low bar to trigger it — any authenticated user, no special conditions — means risk rises sharply the moment a PoC surfaces. Any Langflow deployment with more than a handful of trusted users, or with self-service/SSO signup enabled, should be treated as high risk today.

How does the attack unfold?

Initial Access
Attacker obtains a low-privilege authenticated Langflow account through a compromised user, permissive signup, or stolen credentials.
AML.T0012
Privilege Escalation
Attacker directly manipulates the Langflow database to alter their own user record and grant themselves superuser status.
Execution
With superuser access, the attacker executes arbitrary system commands with the permissions of the Langflow service account.
AML.T0050
Impact
Attacker achieves full system compromise, potentially pivoting to LLM API keys, vector database credentials, and connected internal systems.
AML.T0112

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Langflow pip No patch
151.7K Pushed 5d ago 31% patched ~70d to patch Full package profile →

Do you use Langflow? You're affected.

How severe is it?

CVSS 3.1
9.9 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Moderate

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Changed
C High
I High
A High

What should I do?

1 step
  1. Upgrade to the patched Langflow release as soon as IBM publishes one (track the referenced IBM support advisory for the fixed version). Until patched, restrict Langflow access to a minimal set of trusted users, avoid exposing instances directly to the internet or to low-trust internal populations, and enforce network segmentation plus least-privilege OS permissions on the Langflow service account to shrink the blast radius of any in-app escalation. Monitor for anomalous writes to user/role tables in the Langflow database and for unexpected shell or subprocess activity originating from the Langflow process, and rotate LLM API keys, vector DB credentials, and tool integration tokens accessible to the instance if compromise is suspected.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
Annex A.6 - AI system life cycle security controls
NIST AI RMF
GOVERN 1.5 - Cybersecurity risk management integrated into AI risk management
OWASP LLM Top 10
LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-8635?

IBM Langflow OSS versions 1.0.0 through 1.10.0 contain a flaw that lets any authenticated user — even a low-privilege one — directly manipulate the underlying database to grant themselves superuser rights, then execute arbitrary system commands with the permissions of the Langflow service. Langflow is a widely deployed low-code framework for building LLM agent workflows, so this sits directly in the path of an organization's agentic AI pipelines, and a CVSS score of 9.9 with only low privileges required (PR:L) and no user interaction (UI:N) makes exploitation straightforward for anyone who can already log in, including former employees, low-trust partners, or compromised low-tier accounts. There is no CISA KEV listing, no known public exploit, and no EPSS data yet, so active mass exploitation hasn't been confirmed, but the trivial exploitation path combined with a full confidentiality/integrity/availability compromise means it should be treated as high priority regardless. Organizations running self-hosted Langflow should immediately restrict which users hold accounts, keep instances off the public internet, apply IBM's fix as soon as it ships, and watch database and process logs for unexpected role changes or shell execution from the Langflow service account in the meantime.

Is CVE-2026-8635 actively exploited?

No confirmed active exploitation of CVE-2026-8635 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-8635?

Upgrade to the patched Langflow release as soon as IBM publishes one (track the referenced IBM support advisory for the fixed version). Until patched, restrict Langflow access to a minimal set of trusted users, avoid exposing instances directly to the internet or to low-trust internal populations, and enforce network segmentation plus least-privilege OS permissions on the Langflow service account to shrink the blast radius of any in-app escalation. Monitor for anomalous writes to user/role tables in the Langflow database and for unexpected shell or subprocess activity originating from the Langflow process, and rotate LLM API keys, vector DB credentials, and tool integration tokens accessible to the instance if compromise is suspected.

What systems are affected by CVE-2026-8635?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, low-code AI pipelines, RAG pipelines.

What is the CVSS score for CVE-2026-8635?

CVE-2026-8635 has a CVSS v3.1 base score of 9.9 (CRITICAL).

What is the AI security impact?

Affected AI Architectures

agent frameworkslow-code AI pipelinesRAG pipelines

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0047 AI-Enabled Product or Service
AML.T0050 Command and Scripting Interpreter
AML.T0112 Machine Compromise

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: Annex A.6
NIST AI RMF: GOVERN 1.5
OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

IBM Langflow OSS 1.0.0 through 1.10.0 allows authenticated users to escalate privileges to superuser by directly manipulating the database, execute arbitrary system commands, and achieve full system compromise with Langflow service permissions.

Exploitation Scenario

An attacker obtains a low-privilege Langflow account — via a compromised internal user, a permissively configured self-service signup, or stolen credentials — and uses direct database access to modify their own user record, flipping a role/permission field to grant themselves superuser status. With superuser access inside Langflow, they abuse an administrative or code-execution capability of the platform to run arbitrary system commands with the privileges of the Langflow service account. From there they harvest LLM API keys and vector database credentials configured in the platform, pivot to connected internal systems, or use the compromised host as a foothold for broader network compromise.

Weaknesses (CWE)

CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

  • [Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
  • [Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Timeline

Published
July 17, 2026
Last Modified
July 17, 2026
First Seen
July 17, 2026

Related Vulnerabilities