AI Threat Alert
CVE-2026-0769
UNKNOWNLangflow deployments exposed to the internet are trivially exploitable for unauthenticated remote code execution — no credentials needed. Any org running Langflow as part of their AI pipeline infrastructure should treat this as a P0: patch or network-isolate immediately. Until patched, restrict Langflow to internal networks only and audit for indicators of compromise.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| langflow | pip | — | No patch |
Do you use langflow? You're affected.
Severity & Risk
Recommended Action
- 1. IMMEDIATE: Isolate all Langflow instances behind VPN or internal network — remove any public internet exposure. 2. PATCH: Apply vendor patch as soon as released; monitor ZDI advisory ZDI-26-035 and Langflow GitHub for patch ETA. 3. WORKAROUND (if patch unavailable): Disable custom component functionality via Langflow configuration or block the eval_custom_component_code API endpoint at the WAF/reverse proxy layer. 4. ROTATE CREDENTIALS: Assume any previously internet-exposed Langflow instance is compromised — rotate all LLM provider API keys, vector DB credentials, and any secrets accessible to the Langflow process. 5. DETECT: Search logs for anomalous outbound connections from Langflow hosts, unexpected process spawning, and unusual POST requests to component evaluation endpoints. 6. AUDIT: Review Langflow access logs for exploitation attempts — look for payloads containing import, os, subprocess, socket, or base64 patterns in component code fields.
Classification
Compliance Impact
This CVE is relevant to:
Technical Details
NVD Description
Langflow eval_custom_component_code Eval Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of eval_custom_component_code function. The issue results from the lack of proper validation of a user-supplied string before using it to execute python code. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26972.
Exploitation Scenario
An adversary scans for Langflow instances via Shodan or direct HTTP fingerprinting (Langflow exposes identifiable UI/API endpoints). Without any authentication, they craft an HTTP POST to the eval_custom_component_code endpoint containing a Python reverse shell payload (e.g., importing subprocess and connecting back to attacker-controlled infrastructure). The Langflow server evaluates the payload and executes it in-process. The attacker now has a shell running as the Langflow service account, reads environment variables and configuration files to harvest LLM API keys and database credentials, exfiltrates the keys, and installs a persistent backdoor. In an agentic deployment, the attacker may also modify pipeline logic to inject malicious instructions into LLM prompts, causing the AI agent to exfiltrate user data or take unauthorized actions on connected tools.