CVE-2026-9135: Langflow: code injection bypasses ToolGuard, enables RCE

CRITICAL
Published July 17, 2026
CISO Take

Langflow's ToolGuard control is meant to sandbox custom Python code inside agent flows, but the validation only checks the main component's source field and never inspects the dynamic CodeInput fields where generated ToolGuard scripts are actually stored, so any authenticated user with flow-creation rights can smuggle in arbitrary Python that runs server-side the moment a guarded tool fires. The CVSS 9.9 score is justified: the flaw needs only low privileges and no user interaction, and it can be escalated cross-tenant because the agentic MCP endpoint update_flow_component_field trusts an attacker-supplied user_id, letting one user plant malicious code inside another user's flow. There is no EPSS score, CISA KEV listing, public exploit, or Nuclei template yet, so this looks pre-weaponization rather than actively exploited — but the bug is trivial to reproduce once understood and Langflow is widely used for internal agent/RAG orchestration, often with self-registration enabled. If AUTO_LOGIN=true or NEW_USER_IS_ACTIVE=true is set, the effective barrier to exploitation drops close to unauthenticated, so treat that combination as an emergency misconfiguration to fix today. Patch to the IBM-released fixed build past commit 94981c44 (versions 1.0.0–1.10.0 are affected), disable AUTO_LOGIN/NEW_USER_IS_ACTIVE on internet-facing instances, and audit stored flows for CodeInput payloads that don't match expected ToolGuard-generated content.

Sources: NVD ATLAS ibm.com

What is the risk?

High exploitability combined with critical impact. Attack vector is network, attack complexity is low, and only low privileges are required with no user interaction — this is a low bar for any authenticated user, not just admins. Impact is total: confidentiality, integrity, and availability are all rated High because success grants arbitrary server-side Python execution. Exposure is amplified by the cross-tenant escalation path (MCP update_flow_component_field with attacker-controlled user_id) and by common misconfigurations (AUTO_LOGIN=true, NEW_USER_IS_ACTIVE=true) that reduce effective authentication requirements. No active exploitation signals exist yet (no KEV, no EPSS, no public PoC/Nuclei template), but the specificity and clarity of the bypass mechanism make rapid weaponization plausible once details circulate.

How does the attack unfold?

Initial Access
Attacker obtains a low-privilege authenticated Langflow account with flow-creation rights, aided if AUTO_LOGIN=true and NEW_USER_IS_ACTIVE=true reduce the auth barrier.
AML.T0012
Guardrail Bypass / Code Injection
Attacker embeds malicious Python in the unvalidated dynamic CodeInput field storing the ToolGuard-generated file, evading the allow_custom_components=false check that only inspects node_template['code']['value'].
AML.T0050
Cross-Tenant Escalation
Attacker calls the agentic MCP tool update_flow_component_field with an attacker-controlled user_id to inject the same payload into a victim tenant's flow, or relies on publicly shared flows to widen reach.
AML.T0081
Execution / Impact
When the guarded tool is invoked through the ToolGuard runtime, the injected code executes server-side, giving the attacker arbitrary Python code execution and full compromise of confidentiality, integrity, and availability.
AML.T0053

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Langflow pip No patch
151.7K Pushed 5d ago 33% patched ~70d to patch Full package profile →

Do you use Langflow? You're affected.

How severe is it?

CVSS 3.1
9.9 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Advanced

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Changed
C High
I High
A High

What should I do?

1 step
  1. 1) Upgrade Langflow past the vulnerable range (1.0.0–1.10.0, fixed commit 94981c443d4918517b9e8163d70fc598dc33a32d) to the IBM-patched release referenced in the vendor advisory. 2) Immediately audit and, if present, disable AUTO_LOGIN and NEW_USER_IS_ACTIVE in production configs — this combination materially lowers the authentication bar. 3) Restrict flow-creation privileges to trusted users only until patched; treat allow_custom_components=false as insufficient on its own. 4) Audit existing flows/Flow.data for CodeInput fields containing unexpected or obfuscated Python, particularly around ToolGuard-related components. 5) Review MCP integration logs for update_flow_component_field calls with user_id values that don't match the calling session/user, which would indicate cross-tenant tampering. 6) Restrict public flow sharing and MCP write access to trusted, authenticated automation only.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - Security of AI systems
NIST AI RMF
MEASURE 2.7 - AI system security and resilience are evaluated and documented
OWASP LLM Top 10
LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-9135?

Langflow's ToolGuard control is meant to sandbox custom Python code inside agent flows, but the validation only checks the main component's source field and never inspects the dynamic CodeInput fields where generated ToolGuard scripts are actually stored, so any authenticated user with flow-creation rights can smuggle in arbitrary Python that runs server-side the moment a guarded tool fires. The CVSS 9.9 score is justified: the flaw needs only low privileges and no user interaction, and it can be escalated cross-tenant because the agentic MCP endpoint update_flow_component_field trusts an attacker-supplied user_id, letting one user plant malicious code inside another user's flow. There is no EPSS score, CISA KEV listing, public exploit, or Nuclei template yet, so this looks pre-weaponization rather than actively exploited — but the bug is trivial to reproduce once understood and Langflow is widely used for internal agent/RAG orchestration, often with self-registration enabled. If AUTO_LOGIN=true or NEW_USER_IS_ACTIVE=true is set, the effective barrier to exploitation drops close to unauthenticated, so treat that combination as an emergency misconfiguration to fix today. Patch to the IBM-released fixed build past commit 94981c44 (versions 1.0.0–1.10.0 are affected), disable AUTO_LOGIN/NEW_USER_IS_ACTIVE on internet-facing instances, and audit stored flows for CodeInput payloads that don't match expected ToolGuard-generated content.

Is CVE-2026-9135 actively exploited?

No confirmed active exploitation of CVE-2026-9135 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-9135?

1) Upgrade Langflow past the vulnerable range (1.0.0–1.10.0, fixed commit 94981c443d4918517b9e8163d70fc598dc33a32d) to the IBM-patched release referenced in the vendor advisory. 2) Immediately audit and, if present, disable AUTO_LOGIN and NEW_USER_IS_ACTIVE in production configs — this combination materially lowers the authentication bar. 3) Restrict flow-creation privileges to trusted users only until patched; treat allow_custom_components=false as insufficient on its own. 4) Audit existing flows/Flow.data for CodeInput fields containing unexpected or obfuscated Python, particularly around ToolGuard-related components. 5) Review MCP integration logs for update_flow_component_field calls with user_id values that don't match the calling session/user, which would indicate cross-tenant tampering. 6) Restrict public flow sharing and MCP write access to trusted, authenticated automation only.

What systems are affected by CVE-2026-9135?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, MCP-integrated agent tooling, RAG pipelines, LLM orchestration flow builders.

What is the CVSS score for CVE-2026-9135?

CVE-2026-9135 has a CVSS v3.1 base score of 9.9 (CRITICAL).

What is the AI security impact?

Affected AI Architectures

agent frameworksMCP-integrated agent toolingRAG pipelinesLLM orchestration flow builders

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0050 Command and Scripting Interpreter
AML.T0053 AI Agent Tool Invocation
AML.T0081 Modify AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.6
NIST AI RMF: MEASURE 2.7
OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

IBM Langflow OSS 1.0.0 through 1.10.0 Langflow versions up to 1.9.2 (commit 94981c443d4918517b9e8163d70fc598dc33a32d) contain a code injection vulnerability in the Policies component's ToolGuard integration that bypasses the allow_custom_components=false security control. The vulnerability exists because the validation mechanism only checks the main component source code in node_template["code"]["value"] but fails to validate dynamic CodeInput fields that store generated ToolGuard Python files. Attackers can embed malicious Python code in these unvalidated dynamic fields, which are persisted in Flow.data and later executed server-side when a guarded tool is invoked through the ToolGuard runtime. This allows authenticated users with flow creation privileges to achieve arbitrary Python code execution on the backend despite custom component restrictions. The vulnerability can be escalated through cross-tenant flow manipulation via the agentic MCP update_flow_component_field tool, which accepts attacker-controlled user_id parameters, enabling attackers to inject malicious code into victim users' flows. When combined with publicly accessible flows and specific misconfigurations (AUTO_LOGIN=true, NEW_USER_IS_ACTIVE=true), the attack can be conducted with reduced authentication requirements.

Exploitation Scenario

An attacker with a low-privilege authenticated account (or a self-registered account, if AUTO_LOGIN/NEW_USER_IS_ACTIVE are enabled) creates or edits a Langflow flow containing a ToolGuard-guarded tool. Instead of placing malicious code in the checked node_template['code']['value'] field, the attacker embeds it in the unvalidated dynamic CodeInput field where Langflow stores the generated ToolGuard Python file — this bypasses allow_custom_components=false entirely. The attacker then invokes the guarded tool through normal flow execution, and the ToolGuard runtime executes the malicious code server-side, granting the attacker a foothold with the Langflow backend's privileges. To broaden impact, the attacker abuses the agentic MCP tool update_flow_component_field, supplying another tenant's user_id, to inject the same malicious CodeInput payload into a victim's flow — turning a single-tenant bug into a multi-tenant compromise triggered whenever the victim (or automation) next runs their own flow.

Weaknesses (CWE)

CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

  • [Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
  • [Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Timeline

Published
July 17, 2026
Last Modified
July 17, 2026
First Seen
July 17, 2026

Related Vulnerabilities