CVE-2026-9198: Langflow: token forgery + exec() chain to RCE

CRITICAL
Published July 17, 2026
CISO Take

Langflow's /api/v1/auto_login endpoint mints a valid SUPERUSER JWT for any unauthenticated network caller, and that token can immediately be used against /api/v1/validate/code, an endpoint that runs submitted Python through exec(). Chained together, a remote attacker with zero credentials and zero user interaction gets full code execution on any default Langflow deployment — this is as close to a worst-case CVSS 9.8 as it gets for an agent-orchestration framework. There is no EPSS score or CISA KEV listing yet and no public PoC or Nuclei template has surfaced, but the bug requires no exploitation skill (two chained HTTP calls) and Langflow already carries 69 other CVEs and a package risk score of 77/100, so mass scanning the moment this becomes public is a near-certainty. Patch to the fixed IBM Langflow release immediately, and until confirmed patched, do not expose Langflow's API on any untrusted network — put it behind authentication at the network layer (VPN/mTLS/allowlist) since the app's own auth cannot be trusted for this endpoint pair. Detection teams should alert on any external call to /api/v1/auto_login followed by /api/v1/validate/code, and hunt for unexpected child processes spawned by the Langflow service account.

Sources: NVD ibm.com ATLAS

What is the risk?

Critical risk. CVSS 3.1 base score 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects an unauthenticated, no-interaction, low-complexity path to full compromise. The combination of an auth-bypass primitive (forged SUPERUSER token) and a code-execution primitive (exec() over untrusted input) in the same default install removes essentially every barrier an attacker would otherwise need to clear. No EPSS score, KEV listing, public exploit, or scanner template exists yet, which caps immediate mass-exploitation confidence at MEDIUM, but the low skill bar and the framework's track record (69 prior CVEs, risk score 77/100) make rapid weaponization likely once details circulate.

How does the attack unfold?

Discovery
Attacker scans the internet for exposed Langflow instances running the default, unpatched configuration.
AML.T0006
Authentication Bypass
Attacker calls the unauthenticated /api/v1/auto_login endpoint, which mints a valid SUPERUSER token for any caller.
AML.T0012
Code Execution
Using the forged SUPERUSER token, the attacker submits Python code to /api/v1/validate/code, which runs it via exec().
AML.T0050
Impact
The attacker achieves full remote code execution on the Langflow host, exposing connected credentials, data, and any linked AI tooling.
AML.T0112

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Langflow pip No patch
151.7K Pushed 5d ago 34% patched ~70d to patch Full package profile →

Do you use Langflow? You're affected.

How severe is it?

CVSS 3.1
9.8 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

What should I do?

1 step
  1. 1) Patch to the IBM-fixed Langflow release immediately (see vendor advisory) — do not wait for a documented CVE range if a newer release is available. 2) Until patched, never expose the Langflow API directly to the internet or untrusted networks; place it behind a VPN, mTLS, or IP allowlist, since the vulnerability lives inside the app's own auth logic. 3) Rotate any credentials/API keys accessible from the Langflow host, since a prior compromise may already have occurred. 4) Detection: alert on unauthenticated or anomalous calls to /api/v1/auto_login, especially followed by calls to /api/v1/validate/code from the same session/token; monitor for unexpected subprocess spawning or outbound connections from the Langflow service process. 5) Restrict the service account running Langflow to least privilege so exec()-based compromise has a smaller blast radius.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, Robustness and Cybersecurity
NIST AI RMF
MEASURE 2.7 - AI system security and resilience are evaluated and documented
OWASP LLM Top 10
LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-9198?

Langflow's /api/v1/auto_login endpoint mints a valid SUPERUSER JWT for any unauthenticated network caller, and that token can immediately be used against /api/v1/validate/code, an endpoint that runs submitted Python through exec(). Chained together, a remote attacker with zero credentials and zero user interaction gets full code execution on any default Langflow deployment — this is as close to a worst-case CVSS 9.8 as it gets for an agent-orchestration framework. There is no EPSS score or CISA KEV listing yet and no public PoC or Nuclei template has surfaced, but the bug requires no exploitation skill (two chained HTTP calls) and Langflow already carries 69 other CVEs and a package risk score of 77/100, so mass scanning the moment this becomes public is a near-certainty. Patch to the fixed IBM Langflow release immediately, and until confirmed patched, do not expose Langflow's API on any untrusted network — put it behind authentication at the network layer (VPN/mTLS/allowlist) since the app's own auth cannot be trusted for this endpoint pair. Detection teams should alert on any external call to /api/v1/auto_login followed by /api/v1/validate/code, and hunt for unexpected child processes spawned by the Langflow service account.

Is CVE-2026-9198 actively exploited?

No confirmed active exploitation of CVE-2026-9198 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-9198?

1) Patch to the IBM-fixed Langflow release immediately (see vendor advisory) — do not wait for a documented CVE range if a newer release is available. 2) Until patched, never expose the Langflow API directly to the internet or untrusted networks; place it behind a VPN, mTLS, or IP allowlist, since the vulnerability lives inside the app's own auth logic. 3) Rotate any credentials/API keys accessible from the Langflow host, since a prior compromise may already have occurred. 4) Detection: alert on unauthenticated or anomalous calls to /api/v1/auto_login, especially followed by calls to /api/v1/validate/code from the same session/token; monitor for unexpected subprocess spawning or outbound connections from the Langflow service process. 5) Restrict the service account running Langflow to least privilege so exec()-based compromise has a smaller blast radius.

What systems are affected by CVE-2026-9198?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM orchestration pipelines, RAG pipelines, internal AI dev/ops platforms.

What is the CVSS score for CVE-2026-9198?

CVE-2026-9198 has a CVSS v3.1 base score of 9.8 (CRITICAL).

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM orchestration pipelinesRAG pipelinesinternal AI dev/ops platforms

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter
AML.T0112 Machine Compromise

Compliance Controls Affected

EU AI Act: Article 15
NIST AI RMF: MEASURE 2.7
OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

IBM Langflow OSS 1.0.0 through 1.10.0 allows unauthenticated attackers to chain /api/v1/auto_login (mints SUPERUSER tokens to any network caller) with /api/v1/validate/code (executes user code via exec()) to achieve full RCE on default Langflow deployments

Exploitation Scenario

An attacker scans the internet for exposed Langflow instances (default ports/paths are well known). Against a target instance, they send an unauthenticated request to /api/v1/auto_login, which returns a valid SUPERUSER JWT with no credentials required. Using that token, the attacker calls /api/v1/validate/code with a payload containing arbitrary Python (e.g., a reverse shell or credential-harvesting script), which the endpoint executes server-side via exec(). The attacker now has a shell on the host, can exfiltrate any LLM API keys, vector DB credentials, or connected tool secrets configured in Langflow flows, and can pivot further into the internal network.

Weaknesses (CWE)

CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

  • [Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
  • [Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
July 17, 2026
Last Modified
July 17, 2026
First Seen
July 17, 2026

Related Vulnerabilities