CVE-2026-9135: Langflow: code injection bypasses ToolGuard, enables RCE
CRITICALLangflow's ToolGuard control is meant to sandbox custom Python code inside agent flows, but the validation only checks the main component's source field and never inspects the dynamic CodeInput fields where generated ToolGuard scripts are actually stored, so any authenticated user with flow-creation rights can smuggle in arbitrary Python that runs server-side the moment a guarded tool fires. The CVSS 9.9 score is justified: the flaw needs only low privileges and no user interaction, and it can be escalated cross-tenant because the agentic MCP endpoint update_flow_component_field trusts an attacker-supplied user_id, letting one user plant malicious code inside another user's flow. There is no EPSS score, CISA KEV listing, public exploit, or Nuclei template yet, so this looks pre-weaponization rather than actively exploited — but the bug is trivial to reproduce once understood and Langflow is widely used for internal agent/RAG orchestration, often with self-registration enabled. If AUTO_LOGIN=true or NEW_USER_IS_ACTIVE=true is set, the effective barrier to exploitation drops close to unauthenticated, so treat that combination as an emergency misconfiguration to fix today. Patch to the IBM-released fixed build past commit 94981c44 (versions 1.0.0–1.10.0 are affected), disable AUTO_LOGIN/NEW_USER_IS_ACTIVE on internet-facing instances, and audit stored flows for CodeInput payloads that don't match expected ToolGuard-generated content.
What is the risk?
High exploitability combined with critical impact. Attack vector is network, attack complexity is low, and only low privileges are required with no user interaction — this is a low bar for any authenticated user, not just admins. Impact is total: confidentiality, integrity, and availability are all rated High because success grants arbitrary server-side Python execution. Exposure is amplified by the cross-tenant escalation path (MCP update_flow_component_field with attacker-controlled user_id) and by common misconfigurations (AUTO_LOGIN=true, NEW_USER_IS_ACTIVE=true) that reduce effective authentication requirements. No active exploitation signals exist yet (no KEV, no EPSS, no public PoC/Nuclei template), but the specificity and clarity of the bypass mechanism make rapid weaponization plausible once details circulate.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Langflow | pip | — | No patch |
Do you use Langflow? You're affected.
How severe is it?
What is the attack surface?
What should I do?
1 step-
1) Upgrade Langflow past the vulnerable range (1.0.0–1.10.0, fixed commit 94981c443d4918517b9e8163d70fc598dc33a32d) to the IBM-patched release referenced in the vendor advisory. 2) Immediately audit and, if present, disable AUTO_LOGIN and NEW_USER_IS_ACTIVE in production configs — this combination materially lowers the authentication bar. 3) Restrict flow-creation privileges to trusted users only until patched; treat allow_custom_components=false as insufficient on its own. 4) Audit existing flows/Flow.data for CodeInput fields containing unexpected or obfuscated Python, particularly around ToolGuard-related components. 5) Review MCP integration logs for update_flow_component_field calls with user_id values that don't match the calling session/user, which would indicate cross-tenant tampering. 6) Restrict public flow sharing and MCP write access to trusted, authenticated automation only.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-9135?
Langflow's ToolGuard control is meant to sandbox custom Python code inside agent flows, but the validation only checks the main component's source field and never inspects the dynamic CodeInput fields where generated ToolGuard scripts are actually stored, so any authenticated user with flow-creation rights can smuggle in arbitrary Python that runs server-side the moment a guarded tool fires. The CVSS 9.9 score is justified: the flaw needs only low privileges and no user interaction, and it can be escalated cross-tenant because the agentic MCP endpoint update_flow_component_field trusts an attacker-supplied user_id, letting one user plant malicious code inside another user's flow. There is no EPSS score, CISA KEV listing, public exploit, or Nuclei template yet, so this looks pre-weaponization rather than actively exploited — but the bug is trivial to reproduce once understood and Langflow is widely used for internal agent/RAG orchestration, often with self-registration enabled. If AUTO_LOGIN=true or NEW_USER_IS_ACTIVE=true is set, the effective barrier to exploitation drops close to unauthenticated, so treat that combination as an emergency misconfiguration to fix today. Patch to the IBM-released fixed build past commit 94981c44 (versions 1.0.0–1.10.0 are affected), disable AUTO_LOGIN/NEW_USER_IS_ACTIVE on internet-facing instances, and audit stored flows for CodeInput payloads that don't match expected ToolGuard-generated content.
Is CVE-2026-9135 actively exploited?
No confirmed active exploitation of CVE-2026-9135 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-9135?
1) Upgrade Langflow past the vulnerable range (1.0.0–1.10.0, fixed commit 94981c443d4918517b9e8163d70fc598dc33a32d) to the IBM-patched release referenced in the vendor advisory. 2) Immediately audit and, if present, disable AUTO_LOGIN and NEW_USER_IS_ACTIVE in production configs — this combination materially lowers the authentication bar. 3) Restrict flow-creation privileges to trusted users only until patched; treat allow_custom_components=false as insufficient on its own. 4) Audit existing flows/Flow.data for CodeInput fields containing unexpected or obfuscated Python, particularly around ToolGuard-related components. 5) Review MCP integration logs for update_flow_component_field calls with user_id values that don't match the calling session/user, which would indicate cross-tenant tampering. 6) Restrict public flow sharing and MCP write access to trusted, authenticated automation only.
What systems are affected by CVE-2026-9135?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, MCP-integrated agent tooling, RAG pipelines, LLM orchestration flow builders.
What is the CVSS score for CVE-2026-9135?
CVE-2026-9135 has a CVSS v3.1 base score of 9.9 (CRITICAL).
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0012 Valid Accounts AML.T0050 Command and Scripting Interpreter AML.T0053 AI Agent Tool Invocation AML.T0081 Modify AI Agent Configuration Compliance Controls Affected
What are the technical details?
Original Advisory
IBM Langflow OSS 1.0.0 through 1.10.0 Langflow versions up to 1.9.2 (commit 94981c443d4918517b9e8163d70fc598dc33a32d) contain a code injection vulnerability in the Policies component's ToolGuard integration that bypasses the allow_custom_components=false security control. The vulnerability exists because the validation mechanism only checks the main component source code in node_template["code"]["value"] but fails to validate dynamic CodeInput fields that store generated ToolGuard Python files. Attackers can embed malicious Python code in these unvalidated dynamic fields, which are persisted in Flow.data and later executed server-side when a guarded tool is invoked through the ToolGuard runtime. This allows authenticated users with flow creation privileges to achieve arbitrary Python code execution on the backend despite custom component restrictions. The vulnerability can be escalated through cross-tenant flow manipulation via the agentic MCP update_flow_component_field tool, which accepts attacker-controlled user_id parameters, enabling attackers to inject malicious code into victim users' flows. When combined with publicly accessible flows and specific misconfigurations (AUTO_LOGIN=true, NEW_USER_IS_ACTIVE=true), the attack can be conducted with reduced authentication requirements.
Exploitation Scenario
An attacker with a low-privilege authenticated account (or a self-registered account, if AUTO_LOGIN/NEW_USER_IS_ACTIVE are enabled) creates or edits a Langflow flow containing a ToolGuard-guarded tool. Instead of placing malicious code in the checked node_template['code']['value'] field, the attacker embeds it in the unvalidated dynamic CodeInput field where Langflow stores the generated ToolGuard Python file — this bypasses allow_custom_components=false entirely. The attacker then invokes the guarded tool through normal flow execution, and the ToolGuard runtime executes the malicious code server-side, granting the attacker a foothold with the Langflow backend's privileges. To broaden impact, the attacker abuses the agentic MCP tool update_flow_component_field, supplying another tenant's user_id, to inject the same malicious CodeInput payload into a victim's flow — turning a single-tenant bug into a multi-tenant compromise triggered whenever the victim (or automation) next runs their own flow.
Weaknesses (CWE)
CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
- [Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
- [Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H References
Timeline
Related Vulnerabilities
CVE-2026-10561 10.0 Langflow: auth bypass + unauthenticated RCE (CVSS 10)
Same package: langflow CVE-2026-10134 10.0 Langflow: unauthenticated RCE via tool_code injection
Same package: langflow CVE-2026-33309 9.9 langflow: Path Traversal enables file access
Same package: langflow CVE-2026-55255 9.9 Langflow: IDOR allows cross-user flow execution
Same package: langflow CVE-2026-7873 9.9 Langflow: authenticated RCE enables credential theft
Same package: langflow