CVE-2026-0768
CRITICALCVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Description
Langflow code Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the code parameter provided to the validate endpoint. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of root. . Was ZDI-CAN-27322.
Analysis
Langflow has a code injection vulnerability in the code component (EPSS 2.6%) enabling remote code execution through the visual AI workflow builder.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all Langflow installations in your environment and isolate affected systems from production networks if operationally feasible. Within 7 days: Implement network-level controls (WAF rules, network segmentation) to restrict access to Langflow instances and monitor for exploitation attempts; engage with Langflow vendors for patch availability and timelines. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today