CVE-2026-9198: Langflow: token forgery + exec() chain to RCE
CRITICALLangflow's /api/v1/auto_login endpoint mints a valid SUPERUSER JWT for any unauthenticated network caller, and that token can immediately be used against /api/v1/validate/code, an endpoint that runs submitted Python through exec(). Chained together, a remote attacker with zero credentials and zero user interaction gets full code execution on any default Langflow deployment — this is as close to a worst-case CVSS 9.8 as it gets for an agent-orchestration framework. There is no EPSS score or CISA KEV listing yet and no public PoC or Nuclei template has surfaced, but the bug requires no exploitation skill (two chained HTTP calls) and Langflow already carries 69 other CVEs and a package risk score of 77/100, so mass scanning the moment this becomes public is a near-certainty. Patch to the fixed IBM Langflow release immediately, and until confirmed patched, do not expose Langflow's API on any untrusted network — put it behind authentication at the network layer (VPN/mTLS/allowlist) since the app's own auth cannot be trusted for this endpoint pair. Detection teams should alert on any external call to /api/v1/auto_login followed by /api/v1/validate/code, and hunt for unexpected child processes spawned by the Langflow service account.
What is the risk?
Critical risk. CVSS 3.1 base score 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects an unauthenticated, no-interaction, low-complexity path to full compromise. The combination of an auth-bypass primitive (forged SUPERUSER token) and a code-execution primitive (exec() over untrusted input) in the same default install removes essentially every barrier an attacker would otherwise need to clear. No EPSS score, KEV listing, public exploit, or scanner template exists yet, which caps immediate mass-exploitation confidence at MEDIUM, but the low skill bar and the framework's track record (69 prior CVEs, risk score 77/100) make rapid weaponization likely once details circulate.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Langflow | pip | — | No patch |
Do you use Langflow? You're affected.
How severe is it?
What is the attack surface?
What should I do?
1 step-
1) Patch to the IBM-fixed Langflow release immediately (see vendor advisory) — do not wait for a documented CVE range if a newer release is available. 2) Until patched, never expose the Langflow API directly to the internet or untrusted networks; place it behind a VPN, mTLS, or IP allowlist, since the vulnerability lives inside the app's own auth logic. 3) Rotate any credentials/API keys accessible from the Langflow host, since a prior compromise may already have occurred. 4) Detection: alert on unauthenticated or anomalous calls to /api/v1/auto_login, especially followed by calls to /api/v1/validate/code from the same session/token; monitor for unexpected subprocess spawning or outbound connections from the Langflow service process. 5) Restrict the service account running Langflow to least privilege so exec()-based compromise has a smaller blast radius.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-9198?
Langflow's /api/v1/auto_login endpoint mints a valid SUPERUSER JWT for any unauthenticated network caller, and that token can immediately be used against /api/v1/validate/code, an endpoint that runs submitted Python through exec(). Chained together, a remote attacker with zero credentials and zero user interaction gets full code execution on any default Langflow deployment — this is as close to a worst-case CVSS 9.8 as it gets for an agent-orchestration framework. There is no EPSS score or CISA KEV listing yet and no public PoC or Nuclei template has surfaced, but the bug requires no exploitation skill (two chained HTTP calls) and Langflow already carries 69 other CVEs and a package risk score of 77/100, so mass scanning the moment this becomes public is a near-certainty. Patch to the fixed IBM Langflow release immediately, and until confirmed patched, do not expose Langflow's API on any untrusted network — put it behind authentication at the network layer (VPN/mTLS/allowlist) since the app's own auth cannot be trusted for this endpoint pair. Detection teams should alert on any external call to /api/v1/auto_login followed by /api/v1/validate/code, and hunt for unexpected child processes spawned by the Langflow service account.
Is CVE-2026-9198 actively exploited?
No confirmed active exploitation of CVE-2026-9198 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-9198?
1) Patch to the IBM-fixed Langflow release immediately (see vendor advisory) — do not wait for a documented CVE range if a newer release is available. 2) Until patched, never expose the Langflow API directly to the internet or untrusted networks; place it behind a VPN, mTLS, or IP allowlist, since the vulnerability lives inside the app's own auth logic. 3) Rotate any credentials/API keys accessible from the Langflow host, since a prior compromise may already have occurred. 4) Detection: alert on unauthenticated or anomalous calls to /api/v1/auto_login, especially followed by calls to /api/v1/validate/code from the same session/token; monitor for unexpected subprocess spawning or outbound connections from the Langflow service process. 5) Restrict the service account running Langflow to least privilege so exec()-based compromise has a smaller blast radius.
What systems are affected by CVE-2026-9198?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM orchestration pipelines, RAG pipelines, internal AI dev/ops platforms.
What is the CVSS score for CVE-2026-9198?
CVE-2026-9198 has a CVSS v3.1 base score of 9.8 (CRITICAL).
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0012 Valid Accounts AML.T0049 Exploit Public-Facing Application AML.T0050 Command and Scripting Interpreter AML.T0112 Machine Compromise Compliance Controls Affected
What are the technical details?
Original Advisory
IBM Langflow OSS 1.0.0 through 1.10.0 allows unauthenticated attackers to chain /api/v1/auto_login (mints SUPERUSER tokens to any network caller) with /api/v1/validate/code (executes user code via exec()) to achieve full RCE on default Langflow deployments
Exploitation Scenario
An attacker scans the internet for exposed Langflow instances (default ports/paths are well known). Against a target instance, they send an unauthenticated request to /api/v1/auto_login, which returns a valid SUPERUSER JWT with no credentials required. Using that token, the attacker calls /api/v1/validate/code with a payload containing arbitrary Python (e.g., a reverse shell or credential-harvesting script), which the endpoint executes server-side via exec(). The attacker now has a shell on the host, can exfiltrate any LLM API keys, vector DB credentials, or connected tool secrets configured in Langflow flows, and can pivot further into the internal network.
Weaknesses (CWE)
CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
- [Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
- [Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References
- ibm.com/support/pages/node/7278927 vendor-advisory patch
Timeline
Related Vulnerabilities
CVE-2026-10561 10.0 Langflow: auth bypass + unauthenticated RCE (CVSS 10)
Same package: langflow CVE-2026-10134 10.0 Langflow: unauthenticated RCE via tool_code injection
Same package: langflow CVE-2026-33309 9.9 langflow: Path Traversal enables file access
Same package: langflow CVE-2026-55255 9.9 Langflow: IDOR allows cross-user flow execution
Same package: langflow CVE-2026-7873 9.9 Langflow: authenticated RCE enables credential theft
Same package: langflow