CVE-2026-8635: Langflow: DB manipulation escalates to superuser RCE
CRITICALIBM Langflow OSS versions 1.0.0 through 1.10.0 contain a flaw that lets any authenticated user — even a low-privilege one — directly manipulate the underlying database to grant themselves superuser rights, then execute arbitrary system commands with the permissions of the Langflow service. Langflow is a widely deployed low-code framework for building LLM agent workflows, so this sits directly in the path of an organization's agentic AI pipelines, and a CVSS score of 9.9 with only low privileges required (PR:L) and no user interaction (UI:N) makes exploitation straightforward for anyone who can already log in, including former employees, low-trust partners, or compromised low-tier accounts. There is no CISA KEV listing, no known public exploit, and no EPSS data yet, so active mass exploitation hasn't been confirmed, but the trivial exploitation path combined with a full confidentiality/integrity/availability compromise means it should be treated as high priority regardless. Organizations running self-hosted Langflow should immediately restrict which users hold accounts, keep instances off the public internet, apply IBM's fix as soon as it ships, and watch database and process logs for unexpected role changes or shell execution from the Langflow service account in the meantime.
What is the risk?
Critical. CVSS 9.9 reflects near-worst-case severity: low attack complexity, only low privileges required, no user interaction, and complete loss of confidentiality, integrity, and availability. The scope change (S:C) means impact extends past Langflow itself to the underlying host, since successful exploitation yields arbitrary system command execution with service-account permissions. Exploitability in the wild is currently unconfirmed (not in CISA KEV, no EPSS score, no public PoC or Nuclei template), but the low bar to trigger it — any authenticated user, no special conditions — means risk rises sharply the moment a PoC surfaces. Any Langflow deployment with more than a handful of trusted users, or with self-service/SSO signup enabled, should be treated as high risk today.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Langflow | pip | — | No patch |
Do you use Langflow? You're affected.
How severe is it?
What is the attack surface?
What should I do?
1 step-
Upgrade to the patched Langflow release as soon as IBM publishes one (track the referenced IBM support advisory for the fixed version). Until patched, restrict Langflow access to a minimal set of trusted users, avoid exposing instances directly to the internet or to low-trust internal populations, and enforce network segmentation plus least-privilege OS permissions on the Langflow service account to shrink the blast radius of any in-app escalation. Monitor for anomalous writes to user/role tables in the Langflow database and for unexpected shell or subprocess activity originating from the Langflow process, and rotate LLM API keys, vector DB credentials, and tool integration tokens accessible to the instance if compromise is suspected.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-8635?
IBM Langflow OSS versions 1.0.0 through 1.10.0 contain a flaw that lets any authenticated user — even a low-privilege one — directly manipulate the underlying database to grant themselves superuser rights, then execute arbitrary system commands with the permissions of the Langflow service. Langflow is a widely deployed low-code framework for building LLM agent workflows, so this sits directly in the path of an organization's agentic AI pipelines, and a CVSS score of 9.9 with only low privileges required (PR:L) and no user interaction (UI:N) makes exploitation straightforward for anyone who can already log in, including former employees, low-trust partners, or compromised low-tier accounts. There is no CISA KEV listing, no known public exploit, and no EPSS data yet, so active mass exploitation hasn't been confirmed, but the trivial exploitation path combined with a full confidentiality/integrity/availability compromise means it should be treated as high priority regardless. Organizations running self-hosted Langflow should immediately restrict which users hold accounts, keep instances off the public internet, apply IBM's fix as soon as it ships, and watch database and process logs for unexpected role changes or shell execution from the Langflow service account in the meantime.
Is CVE-2026-8635 actively exploited?
No confirmed active exploitation of CVE-2026-8635 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-8635?
Upgrade to the patched Langflow release as soon as IBM publishes one (track the referenced IBM support advisory for the fixed version). Until patched, restrict Langflow access to a minimal set of trusted users, avoid exposing instances directly to the internet or to low-trust internal populations, and enforce network segmentation plus least-privilege OS permissions on the Langflow service account to shrink the blast radius of any in-app escalation. Monitor for anomalous writes to user/role tables in the Langflow database and for unexpected shell or subprocess activity originating from the Langflow process, and rotate LLM API keys, vector DB credentials, and tool integration tokens accessible to the instance if compromise is suspected.
What systems are affected by CVE-2026-8635?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, low-code AI pipelines, RAG pipelines.
What is the CVSS score for CVE-2026-8635?
CVE-2026-8635 has a CVSS v3.1 base score of 9.9 (CRITICAL).
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0012 Valid Accounts AML.T0047 AI-Enabled Product or Service AML.T0050 Command and Scripting Interpreter AML.T0112 Machine Compromise Compliance Controls Affected
What are the technical details?
Original Advisory
IBM Langflow OSS 1.0.0 through 1.10.0 allows authenticated users to escalate privileges to superuser by directly manipulating the database, execute arbitrary system commands, and achieve full system compromise with Langflow service permissions.
Exploitation Scenario
An attacker obtains a low-privilege Langflow account — via a compromised internal user, a permissively configured self-service signup, or stolen credentials — and uses direct database access to modify their own user record, flipping a role/permission field to grant themselves superuser status. With superuser access inside Langflow, they abuse an administrative or code-execution capability of the platform to run arbitrary system commands with the privileges of the Langflow service account. From there they harvest LLM API keys and vector database credentials configured in the platform, pivot to connected internal systems, or use the compromised host as a foothold for broader network compromise.
Weaknesses (CWE)
CWE-94 Improper Control of Generation of Code ('Code Injection')
Primary
CWE-94 Improper Control of Generation of Code ('Code Injection') CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
- [Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
- [Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H References
Timeline
Related Vulnerabilities
CVE-2026-10561 10.0 Langflow: auth bypass + unauthenticated RCE (CVSS 10)
Same package: langflow CVE-2026-10134 10.0 Langflow: unauthenticated RCE via tool_code injection
Same package: langflow CVE-2026-33309 9.9 langflow: Path Traversal enables file access
Same package: langflow CVE-2026-55255 9.9 Langflow: IDOR allows cross-user flow execution
Same package: langflow CVE-2026-7873 9.9 Langflow: authenticated RCE enables credential theft
Same package: langflow