Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability was determined in langflow-ai langflow up to 1.8.4. Affected by this issue is the function CodeParser.parse_callable_details of the file src/lfx/src/lfx/custom/code_parser/code_parser.py of the component Full Builtins Module Handler. Executing a manipulation can lead to command injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Command injection in Langflow up to version 1.8.4 allows authenticated remote attackers to execute arbitrary commands through the CodeParser.parse_callable_details function in the Full Builtins Module Handler component. The vulnerability has been publicly disclosed with exploit code available, affecting the code parsing functionality with limited confidentiality, integrity, and availability impact. The vendor did not respond to early disclosure notification.
Technical ContextAI
The vulnerability exists in the CodeParser.parse_callable_details function within src/lfx/src/lfx/custom/code_parser/code_parser.py of the Full Builtins Module Handler component. CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) indicates insufficient sanitization of user-controlled input before passing it to a command execution context. The code parser likely evaluates or executes dynamically generated code without proper escaping or validation of special shell metacharacters, enabling command injection when processing callable details.
RemediationAI
Upgrade Langflow to a version released after 1.8.4. The vendor did not provide a public advisory or explicit patch version number in available intelligence; check the official Langflow GitHub repository (https://github.com/langflow-ai/langflow) for the next available release. As an interim control, restrict network access to the Langflow instance to trusted authenticated users only, and implement input validation to block shell metacharacters (backticks, pipes, semicolons, ampersands, parentheses) from being passed to CodeParser.parse_callable_details. Disable or restrict the Full Builtins Module Handler if it is not required for your use case. Monitor authentication logs for unusual access patterns from low-privilege accounts.
Same technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26825